Well, in my earlier post on security tips I mentioned links in email. According to an article in Business Insider, that’s exactly how John Podesta’s account was compromised.
Simply put: Rather than clicking a legitimate link from Google, he apparently clicked through to a fake website run by hackers. When he entered his account information, he handed over the keys to his Gmail.
This article by Ben Gilbert goes into some detail about how this was done. It was an easy effort by the attacker and could have been avoided with a bit more care on the part of the user. He even did the right thing in reporting it to his IT support but still clicked the dangerous link in the email.