Steven Musil reports:
Yahoo appears to have been the victim of a security breach that yielded more than hundreds of thousands of login credentials stored in plain text.
The hacked data, posted to the hacker site D33D Company, contained more than 453,000 login credentials and appears to have originated from the Web pioneer’s network. The hackers, who said they used a union-based SQL injection technique to penetrate the Yahoo subdomain, intended the data dump to be a “wake-up call.”
Read more on CNET. In related coverage, Roger Cheng of CNET analyzes the passwords.
Update 1: Mathew J. Schwartz has more on InformationWeek:
According to security researchers, the leaked came from the Yahoo Voice service. That’s because, while most subdomain details were excised from the data dump, “the attacker forgot to remove the hostname ‘dbb1.ac.bf1.yahoo.com’ (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely ‘Yahoo! Voices’ which was formally known as Associated Content,” according to Trusted Security. But according to theGuardian, the last entries in the data dump link to IDs created in 2006, suggesting that the password list may date from that time.