Update Over 400,000 passwords from the Yahoo Voice domain have been compromised in an attack.
According to TrustedSec, passwords have been compromised from the Yahoo Voice domain by using an SQL injection attack to obtain the data. It's not just exclusively Yahoo email addresses in the list; there are also several other domains, including Gmail, AOL and Hotmail, which have been used to access Yahoo's services.
Yahoo users may want to consider changing their passwords after the vulnerability was discovered. Most concerning is that the passwords were stored in plain text. The data appeared on hacker site D33D Company, along with a statement from the group:
We hope that the parties responsible for managing the security of this sub-domain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in web servers belonging to Yahoo Inc that have caused far greater damage than our disclosure. Please do not take them lightly. The sub-domain and vulnerable parameters have not been posted, to avoid further damage.
Yahoo has since issued a statement confirming the breach:
At Yahoo, we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo and other company users' names and passwords was compromised yesterday, July 11. Of these, less than 5 per cent of the Yahoo accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users' accounts may have been compromised. We apologise to all affected users. We encourage users to change their passwords on a regular basis and also familiarise themselves with our online safety tips at security.yahoo.com.
Updated at 9.14am: added confirmation from Yahoo and list of passwords and domains affected.