The hacker collective, which calls itself the D33Ds Company, claims it hacked into the online giant's (NASDAQ: YHOO) database by using a rather pedestrian SQL injection attack -- the kind of hack so boringly easy it's a joke among hackers and geeks due to its utter simplicity.
The company, however, said fewer than 5 percent of the Yahoo accounts posted had valid passwords.
We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users' accounts may have been compromised, the company said in an emailed statement, according to the Wall Street Journal.
The unencrypted user names and passwords were pulled from a database that stored them in plain text and without the added security of a hashing technique -- an otherwise common practice for any company that handles sensitive user information.
The subdomain and vulnerable parameters have not been posted to avoid further damage, the hackers said in a release that accompanied the list, according to Computerworld.
The list of emails stretches just beyond just the Yahoo.com domain and includes login information for more than 106,000 Gmail accounts and 55,000 Hotmail accounts, among others.
The list of usernames and passwords has since been taken down, but the full list of 453,492 email addresses have been posted in a searchable database here. You can also download a full list of usernames and passwords here.
Aside from exposing Yahoo's flawed security apparatus, the hackers exposed an all too common fact: too many users have dumb, simple passwords. The most common was 123456, followed by password, according to an analysis by CNET.