How do online accounts get hacked?

@p____h already answered pretty well most of what occurs when an account is hacked, but I wanted to add my salt regarding a recently hack of a Gmail account that is very interesting to read!

It's the recent Cloudflare attack.

This is just AMAZING, the attacker used 4 flaw in various services, not only Cloudflare's :

1. AT&T was tricked into redirecting my voicemail to a fraudulent voicemail box
2. Google's account recovery process was tricked by the fraudulent voicemail box and left an account recovery PIN code that allowed my personal Gmail account to be reset
3. A flaw in Google's Enterprise Apps account recovery process allowed the hacker to bypass two-factor authentication on my CloudFlare.com address; and
4. CloudFlare BCCing transactional emails to some administrative accounts allowed the hacker to reset the password of a customer once the hacker had gained access to the administrative email account.

I highly recommend you to look at the blog post, and if you are hurry, just read the infographic that shows the sequence of events. This attack would be worth a short movie!

There are a lot of ways which could be used to hack into your account.

Firstly, a lot of people use the same password to register everywhere. If you create account on the vulnerable website, then someone could hack into that website and get your credentials (stored at database). Then attacker has your e-mail, your password and if that password is the same as the password to your email-box, then he has an access to your e-mails.

Secondly, the next thing could be a very common password. If you use password like 123456 or qwerty then it's very huge probability that your account will be hacked. There are a lot of bots/crawlers in the Internet which collect e-mails and try to log into grabbed account by using common passwords. Of course they just use a few tries (preparing brute-force attack will be blocked e.g. by CAPTCHA).

Moreover, phishing is a nice trick to extort your e-mail and password. There are a lot of ways to trick users to type their credentials on the fake website. Some of them use social engineering, rest of them: more technical tricks, like tabnapping.

We shoudn't forget about malware. Keyloggers (or even mouseloggers for virtual keyborads) intercept typed passwords and send them to the attacker.

Creating a secret question (to help us in e-mail recovery) could be a problem too. It's not a method used for mass-email-stealing, but it's pretty effective for specific people. Obvious secret question like (what's my name or my favourite color) could be easily guessed or extorted by social engineering methods.

It is all of those. I work for a major company in the line you mentioned. I get a good inside out view, everyday there user accounts compromised.

Combination of phishing and social engineering is a major reason behind, there are ton of phishing sites out there and users get sent soliciting fake emails to them.

Secondly malwares and weak passwords. Malwares work best on site like facebook since their architecture's nature of open platform to integrate other sites and applications. I have seen huge dictionary attacks that went on for months and years to gain access to accounts with weak passwords. Compromising the system it self is less frequent.

Some attacks are combination of two or more, it is a chain of attacks that output of one attack is used in next attack. These attacks target not only usernames and passwords but gaining extended info and Personally Identifiable Information (PII) information too.