If the spam is from a Yahoo account, Yahoo email logins can be read from the cookies on your browser if you don't sign out from Yahoo email.

I just discovered this today after receiving spam from my Grandson's yahoo email account.

When you sign out, the cookie is deleted. If you don't, it can be read when you go to another website or page.

There is a script designed to specifically do this.

You click on a link in an email, maybe even from a friend that had his login stolen, go to another site and GOTCHA.

I understand Yahoo could pervent this bt encoding the cookie somehow but they have known about it for months and have not corrected the flaw

This may apply to other web mail sites or even bank accounts but I am not certain yet.

Bottom line is don't click on links, even in friendly emails or open suspicious emails.