I doubt they just "guess" their passwords. Are they just really good hackers?
If a professional hacker wants to hack a celebrity, there isn't a lot that celeb can do about it. Just like if you were walking down the street and a ninja decided to attack you, for most of us, we'd just get beaten up.
Combine that with the fact that celebs are like us when it comes to data security. Most are very bad at it. Paris Hilton using her dogs name as a password. Really? Even a ten year old knows better than that but she didn't. Sarah Palin answered the "What high school did you go to?" Question correctly. You can find that information on Wikipedia. No real skill needed to hijack her yahoo account. Oh, and celebs should LIE for those questions. What high school you went to? Answer it with Grilled Cheese Sandwich, then record that somewhere secure since they need to remember the lies.
No. They send spear phishing emails or they guess security questions and reset the passwords. Or the celeb uses the same password for multiple accounts. For example, Adobe lost something like 150 million passowrd/user name combos. Ashley Madison lost another few tens of millions. Anyone can access the leaked login credentials and then try a known email/usern name with the leaked password. In other cases, the hacker is just really good at manipulating customer service people. Here you can see an example of someone getting someone's bank info just by asking: https://www.youtube.com/watch?v=lc7scxvK…
Notably, social engineering is a combination art/science that requires you to have keen insights into human nature but you also have to intimately understand the system you are manipulating. You have to know company terminology and procedures to accomplish the more audacious feats.
The most sophisticated attacks generally require the complicity of an insider. The Stuxnet attack, for example, had to be installed on Iranian computers isolated from the internet (but not intranet) via a USB stick. I recently heard about another case of a popular youtube channel run by a mother/daughter pair. The daughter simply logged into the account, deleted her mom's name from the account, and changed the password. The "hacker" then had sole access to royalties generated from content views.
Sometimes it (almost) comes down to a guess.
For instance the iCloud leak, which wasn't actually a breach of iCloud was through phishing. As well as a brute force attack. Meaning playing as someone else & using code to rapidly try all possible combinations.
99% are from phishing attacks. They find out their email address then send them a real looking email about their account security in order to get them to send their passwords to them. Social engineering is one of the best ways to get into an account.
There are various ways. The most popular is by reading their blogs and pages then answering their recovery question(s) which they have stupidly set to default answers.
They don't guess, they find out what the passwords are!