At the risk of essentially slashdotting myself or making my web host very angry at me, I have stripped out the passwords so that the only component remaining is the email addresses, in case you want to check whether you were part of the breach. (I was not! hooray!)<p>I am hosting this at: <a href="http://drostie.org/yahoo_leak.txt" rel="nofollow">http://drostie.org/yahoo_leak.txt</a> . If I receive too much traffic I may simply pastebin it.
I think these accounts were prior to Yahoo! Acquisition of associatedcontent. There is NO WAY for a "native" yahoo property to store plain text passwords. Of course this is a yahoo fault to buy a company with such a weak security...<p>If this was a leak in yahoo, the number of users with a yahoo e-mail would be much, much higher.
We did an analysis of the dump:<p><a href="http://blog.sucuri.net/2012/07/analysis-of-yahoo-voice-password-leak-453441-passwords-exposed.html" rel="nofollow">http://blog.sucuri.net/2012/07/analysis-of-yahoo-voice-passw...</a><p>Interesting is the lack of "yahoo" as part of the passwords... I would expect a much higher % from a yahoo leak.
It's a bit sad that the first bit of correspondence from Yahoo was actually just a syndicated news article from another source.<p>It makes you stop and think about whether they take security and their customers seriously.
Anyone know exactly what it means to be a yahoo voice user? I use yahoo chat, and I think I've used voice chat in the past, but I don't see my username in the dump drostie posted.
A quick tool for end users to check if their emails were compromised:<p><a href="http://labs.sucuri.net/?yahooleak" rel="nofollow">http://labs.sucuri.net/?yahooleak</a>