Most instances of being “hacked” (even in true international espionage and electronic warfare!) involve a person sitting at a machine the user is still logged into. If you close a YYE tab and re-open it later, you will still be signed in.
So being “hacked” could be as simple as someone sitting down at one of your computers (or at his computer if you ever used it to sign in!), and using your account. In bad cases, they change your profile and have a new password sent to themselves.
There’s not much YYE or any other site should typically do to improve this kind of “security breach”; it’s not that it’s impossible, it’s that it creates roadblocks that would hinder how fluidly we use the site. The benefits of this method of web sessions and cookies outweighs the negatives, but it DOES leave the end user responsible for signing out properly (ie. not just closing a tab) in order to clear their session and cookies.
Sorry, I know that’s a derailment.
If you can think of another way that the site’s security would allow a malicious party to use a computer that has never been signed into YYE to access user accounts without knowing the password, I’d be curious to hear it. On second thought, if there IS a way, probably better to not publish it. But I’m skeptical that your cousin did anything other than seize an opportunity, which is what most “hacking” really is.