Short answer: They are being given permission. Victims click on the links, or respond to spoof emails with personal data, and give the bad guys the keys to personal accounts.
In this attack, as with most such attacks, the victims must voluntarily give out their info. So, the answer to the question, How are the bad guys hacking so many accounts?, is that we are still letting them.
Be careful out there – don’t click that.