It is a bit difficult to answer - but I try anyway. Generally spoken a user can only get operator status (@) if he has somehow permssion. This can be given in several ways:
The user has
- an entry in the channel database if the network has channel services bots like ChanServ, X, ChanOP etc
- an entry in an eggdrop bot, where he has been added
- the password for the above options
There are some major rules to prevent such things as you described above
- Never give your password to anyone
- Add only trusted people to the operators list
- Always type messages containing your password in the Status window