A hacking collective posted the login credentials of a whopping 453,000 Yahoo users online yesterday, saying they'd swiped them from a Yahoo subdomain using a technique that only works on poorly-secured Web apps that don't monitor text entered into various user input fields, Ars Technica reports. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the hacker group, known as D33D Company wrote.
"There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure," the group added. Yahoo confirmed the breach today, saying it came from an "older file" in the Yahoo Contributor Network—formerly known as Associated Content, ZDNet reports. But it said only 5% of the passwords the group posted were still valid. The company said it was working to fix the vulnerability, and change the passwords on affected accounts.