It could be just coincidence, but in the week that my wife complains that her account has been 'hacked', I receive dodgy emails from most of the people I know who still use Yahoo accounts.
When my wife received reports from her contacts that they had received a dodgy spam email from her account, she logged in to check (she only uses the webmail interface). In her outbox, were two of the spam emails, but curiously they were marked as being sent to 'Recipients Unavailable' (or similar phrase). In my experience, whether you send emails to one person, several or a distribution list full of people, it will record this fact and allow you to view the details in your Outbox later.
When she raised this with me, I noticed that I'd had spam mails from a number of friends and family – all of whom were using Yahoo. I assume a similar thing has happened to them.
As far as we can tell, my wife's PC is clean, and she's changed the password to something else. But the fact that the recipients to these emails suggest that these emails originated from her (not-infected PC) nor from somebody/thing accessing her webmail directly, but from a third-party that either knew her credentials, or didn't need credentials.
Given that everyone I know with Yahoo (that is, anyone who has one of my email addresses stored in their Yahoo account) seems to be similarly affected, I assume it would be a big issue – but after googling, I've found no mention of any Yahoo problems beyond the usual ones.
Can anyone offer any insight?
Best Answer
You have listed the three reasons, so it's good that you are aware of them... Let's go through them:
Hacking
You handled this just fine by quickly changing your password.
Spoofing
The SMTP protocol (the connection used to send mails) allows anyone to specify the address the mail originates from. So for instance, I could send a mail from any Yahoo address without knowing any password, it's possible but it's illegal...
Most of the times, you can't do much against spam but if it's keep happening you can at least try to identify where the mails are coming from. You can do this by requesting someone who received your mail to check the mail headers and send you the data that is in there.
This allows you to inspect the IP/host it comes from and inform their ISP about the spam.
Malware explosion
You handled this just fine by verifying the computer is clean.