She must have had a weak password on her WP account, or logged into it at an unsecured wireless access point with some hacker nearby capturing network traffic. The person who hacked WP had probably sold the information to someone else, and their scam is to hack Facebook or whatever else their goal is. These people are no longer lonely teenage hackers as portrayed in the 80s and 90s. They are criminals out to make money.
ALL: don't use weak passwords!
The least secure passwords are single English words in lower case. It takes mere seconds for a computer to run through a dictionary and try all English words.
Next least secure, and the most commonly used, are an English word followed by one or two numbers. A hybrid attack can crack these. It takes longer, on the order of hours, but they can be cracked pretty easily.
For best security use passwords at least 10 characters long, with a combination of upper case, lower case, numbers, and punctuation marks. Like this:
5tr0NGpwd!
Only a brute force attack can crack these, and that takes bloody ages:
a
aa
aaa
aaaa
aaaab
aaaac
Etc... and even then the hacker may not include numbers, or upper case letters, or punctuation marks in the attempt so they would never get it.