Their are websites on the internet that offer peoples web based email passwords, for a price.
I think it is done, by sending the victim an email, the email is opened. Somekind of cookie goes back to the host, from your web based account. With your password details. Very easy, with the right software and codes, I guess