A hacker group called D33D is claiming to have accessed more than 453,000 logins from Yahoo.
The group says it used a union-based SQL injection to access an unidientified Yahoo service to retrieve the data, which it says was unencrypted, and has posted it online.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," says D33D in a statement.
"There have been many security holes exploited in Web servers belonging to Yahoo that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
Security firm Trusted Security says the passwords concerned contain a wide variety of email addresses, from Yahoo, Gmail, AOL and others. It adds that it believes it's identified the Yahoo subdomain concerned.
"The affected website was only named as a subdomain of yahoo.com however digging through and searching for the hostname, the attacker forgot to remove the hostname 'dbb1.ac.bf1.yahoo.com'," says the company.
"Looking through a variety of sources, it appears that the compromised server was likely “Yahoo! Voice” which was formally known as Associated Content."