Even someone with brief access to your laptop could simply run ssh-copy-id to some remote server they control.
ssh-copy-id transfers the public key. That is fine. Your public key can be public. It's the private key that you have to protect and often have encrypted.
Stories like this make me want to change all my passwords and move to new hot wallets. This is why I keep my large stash in an offline Armory wallet.