as far as I can see, it could be anything, a virus on a PC, a hosting provider issue etc. The only problematic part I can see is if they were able to guess your password, re-create the cookie and that would log them in automatically.
If you want to make sure, then you can download the below header.php, which will prevent being able to log in via the cookie, replace your original header. Just keep in mind this will make the “remember me” feature non-functional. Hopefully we will find the issue soon.