The "how" it happen is probably impossible to answer since it requires either information only Paypal could get or only the bad guys know.
The two most common ways this happens are:1)
Malware on your computer. There are many different infostealers out there but ZeuS is the most common. Malware like ZeuS capture all of the stored passwords you may have on your machine, all of the cookies in your browser, all of the https post content that you send when you log into sites, and everything you type and the name of the window you're typing it into.
Here is a snippet from an actual log from zeus
[Bank of America | Online Banking | SiteKey | Verify SiteKey - Mozilla Firefox]
passcode=[the user's actual password here]
cc=[the user's actual credit card number here]
seccode=[the user's actual cvv2 number here]
[https://www.bankofamerica.com/accounts-overview/accounts-overview.go?sessionid=[sensord session id&request_locale=en-us&returnSiteIndicator=GAIMW]
[the user's real name here]
- Personal Accounts </div>
The user logged into their Bank of America account and ZeuS got everything. I don't feel comfortable sharing more of the log than that. ZeuS got everything.2)
The other very common way to steal from accounts is when a user uses the same password and email address with their financial account that they used on some other website. For example, suppose you use the same password on twistypuzzles.com that you use to your PayPal account. Then anyone with access to the twistypuzzles.com database (the hosting company, Sandy, anyone with backups, hackers, etc.) can look up your email address and password (crack it if necessary) and log into your PayPal account. Giant password breaches are very common. In the last two months both LivingSocial and Evernote lost 50 million passwords, each.
Besides checking your computer for malware and using unique passwords, a pretty good way to protect your important accounts is with multi-factor authentication.
Amazon AWS: http://aws.amazon.com/mfa/
... and many other sites and services offer multi-factor auth. I use it everywhere I can.