Looking at GMX's password recovery process, to recover an account it looks like they will either send an email to s***@v*****.com
or they will let you enter your birthdate. Perhaps somebody exploited one of these two options?
reddit formatting markdown fucked up the email address characters, but it looks like S followed by 6 stars @ V followed by 8 stars
entering birth date is rate limited to 3 attempts per 24 hrs. So probably wasn't accessed through this unless the attacker had narrowed down the range a bit
This has already been discussed and is likely how he gained access. Think someone said it would take max a year to guess the birthdate by bruteforce.
I would think that the hacker likely changed the password reset questions once he gained access to the account. I would not be surprised if some hacker was able to exploit some kind of vulnerability at gmx (and potentially sold this information on some dark web site).