Q1:
Consider a hacker who obtained your HiveSigner password. It will only be able to broadcast transactions to the blockchain if you have imported your posting or active key in HiveSigner. But he won't be able to access the keys themselves. This also applies to your password which is not stored in HiveSigner. That being said, I'm not a fan of HiveSigner.
Q2:
The hacker needs your private active, owner key or Hive password to be able to perform transfers. There are many ways to obtain this information. It's up to you to be vigilant and not to communicate them.
Q3:
Simpler answer: NO
Conclusion: be careful, never provide your private keys to anyone unless you are 100% confident it is safe to do so and even in that case, always perform a double check.
RE: Question to Experts on today's incident - Phishing Attacks