You may not have been hacked. The default setup is rather insecure. Here are some things to note.

Access to your machine is controlled by these fields in mysql.user:
user -- login name
host -- where he is coming from
password -- encrypted version of his password, or '' if no password.

host='localhost' -- applies to the machine where the server is
host='%' -- anywhere

In addition, if all the Priv columns are 'N', then it will recognize the user, but not allow him to do anything. Some of the 'extra' rows may be like this.

Further, when doing something like this (which is highly advised for every application on your server):
GRANT ... ON dbname.* TO user@'%' IDENTIFIED BY '...';
mysql.user will show all 'N' for Privs, but
mysql.db will show the actual Privs for `dbname`.

When looking for hackers, look especially for
Priv_grant = 'Y'
Priv_super = 'Y'
Those two privileges should be guarded most carefully. It is probably best to have those granted only to root@localhost, and have a non-trivial password for 'him'.