Sounds like you're a victim of this: http://feeds.arstechnica.com/~r/arstechnica/index/~3/NzaR7UHUhIY
A group has been exploiting A vulnerability in yahoo to steal session cookies. Log out completely to be sure the cookie is invalidated then log in from a clean machine (live CD) and reset your password , Security questions, and double check the alternate/recovery E-mail is set correctly. As long as the session cookie is still valid the miscreants can get into the account.
Also any info in that account must be considered compromised. Any passwords, financial info (card numbers) etc will all need to be changed to prevent problems down the road.
Hope this helps, Freemor
