I have a couple of clients who regularly get their Yahoo accounts hijacked. Older clients so will have fairly tame surfing habits, though one of them visits a lot of hotels. Maybe that is the route. Hard to tell.
The same pattern happens each time where the scammer mails out "Help I need cash" messages from the yahoo account to everyone in the address book. They then delete your address book. The ReplyTo: address will have been changed on the account. Often to the same name but at a different free mail host. So anyone replying to the scam will be directed to the scammer.
Last time this had happened the broken Yahoo mail interface was stopping us correct the issue due to a bug in the interface, but I flipped back to the old interface and all was well again.
You really have to dig deep into all the settings to remove all traces of the scammer's control of the account. They tend to go in and change as many of the contact details as possible.
2FA is now enabled, but as it is Yahoo I am still expecting to hear back from one of these clients again soon the next time the account is hijacked.
And to the commentard above who claim this is just idiot users... with my clients there have been no typing in details on phishing sites. I train a healthy level of paranoia into my clients which means they have certainly not done anything as daft as that. I wish I could get them off of the Yahoo accounts, but they often don't like change.