I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.
Does you home machine password have more or less than 60 bits of information (10 character, letters, numbers ,symbols)?
You may want to check the logs for failed login attempts.
I think the lesson here (which I did not know) is that you are going to move to key-based authentication, you should do it everywhere at the same time. Do you log into you home machine from Public computers? is that why you were not using Key based authentication?
Note: until recently, I was using password authentication with about 17 bits of information. Half my security was obscurity (two logins required with different usernames and passwords).