As an Ex-Y, I'm amazed this has happened. AFAIK, all user accounts start their life in a central API service. The actual properties don't get access to the service, just to a lookup API (which isn't SQL, and has been hardened over many years). As a user of the service, you actually don't get the user's password at all - in fact, none of their security information. All of that is handled by login.yahoo.com, and as a general rules stays put. The user folks also spend a lot of time culling the spammers who spend a lot of time opening Y accounts.
How this service managed to get passwords and store them in a DB is a mystery to me. However, I strongly suspect the only passwords stolen are the ones on the affected service. Of course, if it's Yahoo Voices, Yahoo Voice or something else isn't fully clear yet. I'll be willing to bet at least half the accounts are spam, because they won't have been subject to the same culls as the main user service gets.
This ought to now be a "no one goes home until it's fixed" security event. I never heard of one in 3 years working there, although folklore said they had happened in the past. The local pizza companies better get cooking, because they're gonna get a call any minute...