Fake cookies were the culprit, not password theft.
Business Insider UK explains:
Russian spies and hackers teamed up to break into thousands of Yahoo accounts, the US Department of Justice said on Wednesday.
The breach involved more than 500 million stolen Yahoo accounts, representing one of the biggest hacks of all time.
So how did the hackers do it?
Essentially, the hackers managed to get hold of a secret directory that contained Yahoo usernames, encrypted passwords, and other information. They then used that data to trick Yahoo into thinking their web browsers were already logged into Yahoo's online service — a clever technique that meant they never needed to actually decrypt any passwords.