One of my friends is a regular hacker of Minecraft accounts, and he told me his secret.
Here's how they do it:
1) Choose a very active thread on this forum, with a lot of different people posting.
2) Use a program (I'm not going to release it here, I don't want any more accounts being hacked) that they input the thread URL into and it scans all the Minecraft usernames from the people who posted in the thread. It will then deposit them in a text file.
3) Now they use a special Minecraft bruteforcer to run through the list of usernames with a word list (usually an English word list) to try and crack the password.
4) All the working usernames and passwords are deposited in a textfile.
Now, here's how to protect yourself from this:
1) Don't list your Minecraft username in your profile field. You're fine to mention it in your signature or name, because most (if not all) scanners don't check that, only your profile link.
2) Don't use a password that's a word, especially not in the English language. I recommend using a password that's a mix of letters, numbers, and symbols. You should try http://www.freepasswordgenerator.com/.
3) And of course, do all the regular things like get a good antivirus and don't tell anyone your password. Here is a good thread with some tips: viewtopic.php?f=1020&t=118221