Hackers have been using a custom Trojan called Clampi to accomplish this feat. The Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. This is an extension of the kinds of techniques that attackers often use to get around protections such as strong encryption. They don t go after the crypto itself, but instead go after a weaker link in the chain, in this case, the users likely clicked on a malicious link or visited a phishing site where the Trojan was hosted.
Source: https://threatpost.com/hackers-using-trojans-steal-one-time-passwords-082009/72953/