I work in IT and it's scary easy how easy it is to hack into anything with a password. There are several common methods, even 12 year old kids can do these.
1) Brute force attack - a simple script that will simply keep logging into your account with different combinations of letters until it hits yours. This is especially easy with dictionary words, as the scripts can locate those combinations very quickly. They will just try and try and try over again until they get in.
2) Malware - You may have downloaded an application to your desktop or phone, and the application was infected with a trojan horse, which was sniffing your keystrokes, and then uploading them remotely to the hacker
3) Phishing - even if you swear you weren't logging into any unprotected websites with a password, even rolling over stupid ads is enough to activate controls on your browser and infect you.
4) Shoulder watchers - you know with the iphone it doesn't screen your letters as you type them until after a few seconds. The number pad is also easily readible. There are stalkers in public places who will just cozy up behind you and you will never know it, either filming your keystrokes with a camera or more commonly just watching you put them in.
5) A soft target website - Maybe you signed up for some casual hobby forums, and you use the same password EVERYWHERE. Well, the webmaster for that site didn't encrypt his passwords in the database, or he was storing master passwords in clear text on his server. Once the hacker finds that master password, he has access to EVERYTHING in the database, including your password, which you use everywhere. So now that he has your password, and your email, he's going to make the rounds on all the top sites - PayPal, eBay, Amazon, email accounts, everything, and see what he has access to. This only takes 15 minutes as it is all scripted, so he just plugs in your password and the script does all the work for him.
6) Port sniffers - Those connecting their computer direct to the internet, with no firewall, and not behind a router, are the most vulnerable. Again, the hacker simply has an automated script that just goes out and scans for open ports on your computer, until he finds an open one. Consider it a back door. Once he's in, he can do fun stuff like start keylogging, and then get your password straight from the source.
All these techniques are very common and easy to do. The programs do all the work so it's not like Hollywood where some super genius is typing madly into the keyboard with some rocket science Einstein algorithims, he's just downloading common hacker tools that are out there.
Nobody wants to hear this, but it's just like your front door. If someone REALLY wants in, they will get in, it's stupid easy. What you want to do is make it so annoying for anyone trying, that they just get bored and move on to something softer.
My money market account makes you verify a code over the phone, if they don't recognize the computer you're logging in from. It is annoying at first, but I am really glad that they do it.
The password security model is really busted, and in need of modernization. Not trying to scare anyone, but we all need to make sure we aren't taking anything for granted, and follow the simple steps that can cut down 90% of the hacks. Simply changing your password every 90 days, making sure it has an upper case letter and a number in it, that it's not a dictionary word, making sure your firewall is on, keeping your PC updated with the latest patches, will stop most of it.
There are some websites I use a "soft" password that is easy for me to remember, that I could care less about getting hacked on. Those I pretty much expect that if and when someone does get in, there's nothing I care about them having anyway.