Admin Hacked and password and admin user email changed

We are using 1.5.6 and I have just found out that our site has been hacked. As far as I can tell the hacker has changed the admin password (there is only one and I have reset via cpanel) and added their email address to the admin user account. I can't see any other changes. This is very worrying because admin was secured with a very strong password and we've been careful to only install a few key extensions from Opencart. There isn't anything else running on that domain other than Opencart. I thought (until now) we'd kept things very tight. I'm at a loss as to why they hacked us. Can't readily spot any SQL type injection links. I'm at a loss as to how they got in, why and what to do about it. Guidance on would be appreciated.

Without any further information (environement, server log) guess nobody can help you.
If you have such infos, provide them - but not visible here for all!

Indeed need more information....But:

The admin password is one thing, but your email password is another. You can have an epic hard root pass, but if there is any recovery mechanism, and they are in your email, then you are haxored.

Another thing is the hosting service in general. Most of them are good and force you to verify secrets, but others do not. Could technically spoof your way to a root recovery on many of the thousands of shitty/amateur/reseller hosts.

Would say answering him is wasting time - no response after 1 month.