A statement from Yahoo!, Obtained by TechCrunch, says less than five per cent of the accounts affected by the hack had valid passwords.
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11.
Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologise to affected users. We encourage users to change their passwords on a regular basis and also familiarise themselves with our online safety tips at security.yahoo.com.
Yahoo Inc has reported the theft of 400,000 user names and passwords to access its own site, as well as those of other companies, saying that hackers had taken advantage of a security vulnerability in its computer systems.
Company spokeswoman Dana Lengkeek did not identify the other companies whose credentials were stolen or say how many of the stolen logins were for Yahoo's sites. She said the data was included in "an older file."
"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," she said.
Industry website CNET reports the hackers as saying the breach was intended as a "wake-up call and not as a threat" and that Yahoo's security was lax.
The hack is one of several in recent months. The business networking service LinkedIn admitted last month that 6.4 million member passwords had been stolen from its website.
A previously unknown hacker group has posted online the details of more than 450,000 user accounts and passwords it claims to have taken from a Yahoo server.
The Ars Technica technology news website reports the group, which calls itself D33DS Company, hacked into an unidentified subdomain of Yahoo's website where they retrieved unencrypted account details.
A Yahoo spokesperson in Singapore declined to comment.
Yahoo's chief executive Scott Thompson has stepped down after it emerged that his CV included a computer science degree he had not obtained.
Ross Levinsohn, who oversees Yahoo's content and advertising services, is taking over as the interim CEO - becoming the fourth person to run the company in eight months.