How Yahoo allowed hackers to hijack my neighbor's e-mail account

the gist of it seems to be that yahoo ran a vulnerable wordpress site that allowed the attacker to run javascript from the yahoo domain, allowing them to steal login cookies.<p>That makes me wonder, doesn't yahoo set the http only flag for their session cookies? Is there any reason you may want javascript to access the session cookie?<p>Suppose it's a good time for everyone to verify that their websites properly set http only on any cookies you don't want to access via javascript.

Off the top of my head and as anecdote, I've probably received the most spam and/or malicious emails from friends compromised email accounts where those accounts are Yahoo accounts. Hotmail would probably be second.<p>I usually go to the effort to call them up as soon as I can to inform them of the compromise. I've started gently describing the problems with these particular hosts; unfortunately, however, most don't go to the effort to make a change. And several have been compromised multiple times.