How could someone forge a cookie after stealing the source code? Did yahoo use a hardcoded private key in the code? Then any developer at yahoo could have broken into an account. That cannot be right.
It doesn't answer your question precisely, but I asked a similar (albeit more incredulous) question a few months back [1] and got a thread full of educated speculation from current and former Yahoo devs.
Maybe the cookie generation had some sort of vulnerability (such as length extension) and looking at the source code helped attackers locate it and exploit it.
[1] https://news.ycombinator.com/item?id=13180234