1. The hacker first tried to access the account but he did not have the password. He tried a dummy password.
2. Yahoo gave the hacker an option to retrieve password. He said yes.
3. Yahoo asked three personal questions. First the birth date. This information available in the public domain, e.g. Wikipedia. It took 20 seconds.
4. The second question was the zip code of her birthplace. Alaska has only two zip codes. It took another 20 seconds.
5. The third one was tricky and supposed to be personal. "Where did you meet your husband?" Everybody knows that it was her high school. The hacker thought carefully and tried several options. Finally, "Wasilla High" was a hit.
6. The hacker got the password. He changed it to 'popcorn'.
It took 10-15 minutes of relatively easy work to get it all done.
This is how secure we are in the Internet !!!
Note. A possible solution for this would be an 'Account Lockout' mechanism. An attacker tries to guess someone's password, but after a certain number of attempts the account gets locked.