Nearly every online service (whether financial or not) requires an email to sign up, and more importantly — they usually can be accessed via your e-mail account if it is compromised. Your e-mail account can be compromised if a hacker figures out your password. This is why your e-mail account should have its own password, which is not used elsewhere.
After getting into your e-mail account, the hacker can go to the login page of (almost) any of the online services you provided that e-mail to and request a password reset. The password reset e-mail would be sent to your e-mail and the hacker would then be able to intercept your password reset link and then set their own password — thereby taking control of your account.
Considering how many social media websites, apps, online financial services among other things were probably signed up for with one or two e-mail accounts, accessing your e-mail means that a hacker can take everything from you and make it look like you’re distributing malware, here are just a few examples:
- Online games (via Steam, Origin, etc).
- Online payment services.
- Online exchanges.
- Social media and other accounts such as Facebook, Twitter, and YouTube.
- Online cloud services storing your data.
A hacker could theoretically steal your money, stalk you, pretend to be you online, use your payment services to fund criminal activity, among other things.
Even if you use a different password for financial services like PayPal, you still need to consider in-app purchasing and anything that allows you to send people money or buy anything online needs both a secure password and its own email (or at least use 2FA and a strong password for the email).
The first steps I would take are to enable 2 factor authentication (not SMS-based 2FA, but something better like Google Authenticator or Yubikey) and set unique, strong passwords for each e-mail and service you use online. Or at least use a few different passwords to reduce the impact of a hack. Passwords should contain a combination of letters, numbers, and symbols. Passwords with only numerals are not secure.