Both accounts were accessed using 'mail.yahoo.com'. The first is in the 'yahoo.com' domain while the second is, 'pacbell.net'. Because I can't use official AT&T member access, now that I am no longer an AT&T DSL customer, I have to access through the regular Yahoo! page.
The URL begins with ». I notice my Gmail URL begins with ».
Is that impt?
For some people, yes. But probably not related to what happened.
In fact, based on the information you provided, there is no unique, definitive explanation. If she ever used Yahoo! Voices within a window of time just after Yahoo! acquired Voices, her password might have been leaked. If she had a weak password, it might have been cracked (such happened to my aunt). Or if she was ever "phished". With most U.S. ISPs, especially the largest ones, blocking outbound port 25, spammers can't use compromised residential computers to send direct to domain MX servers. Their latest technique is to impersonate an ISP mail service, and claim that the user must prove their account is still active by providing the login details. Then there are keyloggers; and more.
Some can be ruled out, but there is still insufficient data to zero in on a specific explanation.--
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum