Question:
If someone were to gain access to your account because your password became known then they could get access to your private keys. Then even if you change your password, the hacker would still have your private keys and could still make transactions in your account. Is that correct? Please help.
You would change your keys using verification from your designated account recovery person, which by default is steem if you created your account through the steemit website: https://steemit.com/steemit/@steemit3/third-update-to-july-14th-security-announcement-account-recovery-begins
You just need access to a private key that was valid in the last 30 days, and confirmation from the person listed on your account as the recovery account. You can see that your recovery account is steem here: https://steemd.com/@doogee
Changing your master password changes your private keys too.