There are a number of ways.
1. Your friend's computer is vulnerable and has a keylogger on it.
2. The attacker guessed your friend's secret answer to recover the password. Usually secret answers are not as secure as the passwords and are easier to guess.
3. She was trying to find out someone's password and she probably fell for the oldest trick in the book the : how to hack hotmail/yahoo/google/whatever. For more details I'll quote §intå×:
" Okay for all of you who want to hack hotmail here it is.
log into your account. Go to create new message. In the subject type in psswd_get_curmbbox_0#.Vvgncx_hotmail_address_you_want_password_for
Make sure to keep it case sensative. Then address your email to firstname.lastname@example.org "
4. Your friend clicked on a link that resembled the I.M. page and she filled in her details (ID & password) without realising what she was doing. I've seen this attack on Yahoo Messenger, someone sends out a link saying something like : "Check this babe out!". When the users click the link they enter a page that is identical to Yahoo Photos (photos.yahoo.com) only it has a really different address (but people tend to ignore that). They are asked to log in with their ID and password and once they fill in their ID and password they see a picture of a babe then they close the site and forget about it, but the people behind the site record the id and password. This attack is also known as phishing.
I'm sure there are many other ways but this are pretty common.