Hotmail isn't really that secure, accounts get cracked rather randomly just for spamming purposes. And if your sister has ever accessed it on some public machine (and didn't remember to clear browser cache afterwards) that could have caused the problem as well.
The first step, as already suggested, is to try to change the password. If you aren't able to do that then read this page for more instructions:
http://explore.live.com/windows-live...unt-hacked-faq
The second step is to check
every other web site and service where she might have used the same password, and change their passwords as well.
(I recently helped a friend whose hotmail account was cracked and used for spamming, she hadn't actually used hotmail itself for years but used the same account for Messenger. Her (Windows) computer proved to be clear of any viruses and spyware, so it seems to me that either the account was simply cracked with brute force or through some Messenger vulnerability. Simply changing the account password solved the problem.)
Bookmarks