When you get hacked, they file the keystokes from your most current session. Routinely changing your password won't help this too much. What helps more than anything is to not use the same password everywhere. I think that most people are pretty understanding about that stuff since most everybody in the world has gotten one of those emails.
Yahoo needs to move to https.