How do they hack? Data breach or vulnerability?
I work in cybersecurity, so I can tell you how it often goes:
Hackers find a site that could be of some value to them, they then use a list of passwords from database breaches on other sites that have been cracked. They feed in email and password pairs with their automated bruteforcing script until the script hits. Once they find a hit they login with it and utilize that account in whatever form or fashion they can.
The best way to defeat this is always going to first and foremost be enabling two factor authentication, followed by a secure AND unique password (never used elsewhere), random security questions and answers, and lastly a unique email address per site.
A good unique password always hinges on length. Longer is better. It needn't be crazy, but it's helpful to incorporate uppers, lowers, numbers, and special characters. Password managers can often do this for you automatically, as well as keeping track of each password for each site. LastPass was mentioned as one, but I would highly recommend against it. 1Password or Bitwarden are probably two of the better and more recommended ones. A good password might look like this: garden6CAT-tortila. Easy to remember, but not super easy to crack.
1Password can also store your multifactor "Google Authenticator" tokens, and keep track of random security questions and answers.
As for unique email addresses the functionality is built into Gmail and some other providers. If your Gmail address is bob123@gmail.com then you can make your DansDeals email bob123+dansdeals@gmail.com and it will still reach the inbox of bob123@gmail.com.
If you want to check if your email and/or password has ever been in a breach then check haveibeenpwned.com to see. More than likely it has. When testing password the guy who designed the site (Troy Hunt) made it so only part of your password is hashed and is tested against the breached password database.