I explained how you do it (give up your privacy) in my prior post.
How they (hackers) do it:
Using nothing more than information his victims readily provided, this hacker gained access to their email and/or Facebook accounts; with highly embarrassing results.
I've long been baffled by sites that, purportedly in the interest of better security, require users to supply highly specific information like their father's middle name or what high school they attend(ed).
Oh, and the hacker? He said he did it because it's funny…