It’s also possible to have a trojan on your PC which has harvested the contacts and is being used by an automated network (aka botnet) to send spam. It’s possible for it to have used your Hotmail connection to do it, especially if you have Hotmail set up in you mail software on the PC. Doesn’t even need to hack the account then, it just takes control of your mail software.
As well as a virus scan, Malwarebytes is worth a run.
Anyway, as a security option you can enable two factor authentication with your Microsoft account which makes it much harder to hack the password. It’s a bit more technical as it needs you to verify a first time log in on a device using a text message to your phone, or with an authentication app on the phone.