A spam email that went to the Inbox stating that Yahoo! was going to close all inactive accounts if you did not click on this link and log in was probably how the attacker got the passwords. The link went to one of those off-shore URLs that we should all avoid.
Phishing is still alive and well.
And there are a lot of gullible people to phish for.