In surface mail, I wouldn't need to break into Steve Poulton's house in order to send a letter that claimed to come from his address.
In email, I don't need to break into Steve Poulton's account in order to send an email that claims to come from his address.
In surface mail, I wouldn't need to steal Steve Poulton's address book in order to know that he knew certain people, and send them a letter claiming to be from him, as long as I could get hold of any letter or document from anywhere that linked him with them.
In email, I don't need to break into Steve Poulton's address book in order to get hold of an email from anywhere that includes his address and those of a number of people whom he knows; whenever any email is sent to any group of people, it's a fair bet that most of them know each other (and if they don't, I've lost nothing from trying).
With surface mail, breaking into Steve's house would be a relatively troublesome way of getting hold of the information to send a spoof message. It's the same with email; breaking into an account is a relatively large amount of trouble to achieve the aim. It's possible his account has been compromised, but there's no more reason to assume it than with surface mail, in my view.
Steve changing his password was a very good idea. However, the fact he was able to do so is strong evidence that the account had not been compromised. The first act of any half-competent hacker, after breaking in, would be to change the password, so locking Steve out.