A group known as D33DS Company has posted over 400,000 Yahoo usernames and passwords online in plaintext, which means that anyone can use or steal them. The usernames come from the Yahoo! Voices service, previously known as Associated Content, which allows users to post content online. D33DS Company stated that this leak was made possible as the service was susceptible to SQL injection attack. The group hopes that “the leak will serve as a wake-up call for Yahoo! Inc. to re-evaluate their security policy.”
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," a brief note at the end of the dump stated. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
The leak represents just 0.5% of Yahoo’s 97 million users, but it is a significant portion of the number of users on Yahoo! Voices. It is estimated that there are 600,000 contributors to Yahoo! Voices with 435,000 affected by this leak. If you have used this service, you are advised to change your password immediately. Users of other Yahoo! services should also err on the side of caution.