Sometimes I really wonder how people who actually don’t have a clue about those matters while there is clearly enough documentation for large audience in YouTube about those matters, end up on these kind of project like eve-tech.
You don’t provide enough informations for us to help you.
1/ Was your password à matricule ? A combination of your name or something provided by uni ? Things that could be generic for all students ?
2/ was your password the same than in other websites ?
3/ was your password in the database of haveibeenpwned.com?
4/ what was the composition of your password ?
5/ who control the WiFi connection? The it of the Uni or some third entity? In the case of some uni in Belgium it would be the city.
6/ how do you actually know it’s the WiFi of the uni? How do you identify it ?
7/ what kind of WiFi is it ? Is it a radius connection or wep? Wpa ? Look on YouTube on how to identify correctly the security protocol in place. If there is no certificate it is most likely not radius.
8/ is it the same password than on the infrastructure of the uni?
9/ I didn’t understand a thing about your mail story. So you are saying that the mails were sent from your gmail account ? Man really be clearer or do some screenshots.
So about the WiFi password, depending of the kind of connection it’s easily hackable. The guy/girl just need to be in your surroundings and having you disconnected several time in a specific order and time frame. If it is a radius connection secured by a certificate, to my knowledge, the only way with reasonable ressources and not a supercomputer and if the radius server has been well configured is to hack the Uni server or one of your hosts.
The actual antivirus can’t protect from crafted Trojan. Just look at the noob Micode on YouTube about him making a Trojan not detected by kaspersky and you’ll see. And this guy didn’t have any degree in computer science nor is he a recognized hacker.
The only way you can protect yourself is to reinstall Windows and flash your bios in the worst case.
If you used a generic password then clearly you were quite’ inconscious and this guy has just poking around website like haveibeenpwned to retrieve your password.
What I can be sure of is, if you used gmail and he got access to it, you can look in your recent activity why peripherals have accessed it and when and from where. But the only way he could have found your password is through hacking your host or if you used a generic password. Every transaction with google is encrypted, mail software through imap starttls or website through tls certificate.
Plus you could have avoided it by activating 2FA.
For the website you visited, since as I’ suspecting it it’s not through a radius server that you are connecting to your WiFi, he/she can easily wireshark your surfing experience and see which website you are visiting, which exact URL. But if the website is secured with a certificate then he can’t see shit about what are you doing exactly on this website, unless your hosts are hacked.
To be sure to protect you from those kind of things, when you are any WiFi, use a VPN. He will know that you are using a vpn and which one with the IP address but he won’t be able to see shit, unless again your hosts are hacked.