It's common knowledge that Yahoo has experienced major hacks in recent years. And law enforcement has ferreted out some of the perpetrators. See US charges two Russian spies and two hackers in Yahoo data breach. They used phishing attacks and forged cookies in the commission of their criminal endeavors.
Those of us who still use Yahoo email, not knowing whether the barn door was eventually locked, are undoubtedly taking our own precautions. An easy one would seem to be to log out after each usage and delete Yahoo's cookies. But Yahoo wants users to stay logged in.
Look at the login page. The default is a check in the box that says "Stay logged in." That serves Yahoo, but it's hard to say whether the email user is protected with the connection open indefinitely. In any event, part of my login procedure is to uncheck that box. It might help, but it couldn't hurt.