An observation - it is possible the passwords have been cracked
Last Autumn I had the unpleasant experience of having to tell my boss to disregard an email from me as it contains a virus or some sort and was not sent by me.
It was, however, marked as coming from me, and sent to a large number of people. After scouring my machine to try to track down the addresses present in the mail (it was an odd assortment, mostly people I know but it wasn't any addressbook I could lay my hands upon). The more I puzzled over this, the more it looked like it was basically listing the history of messages sent from my Yahoo! account. I was aware of this as I send myself messages when testing stuff like the phone/tablet settings are correct.
How would this information be available if the account had not been compromised? That's a question we ought to be asking here. So either Yahoo! has yet another leak, or the passwords are being cracked. I don't know why they didn't hit the addressbook. Too obvious, maybe? It's rather clever to target those addresses a person has actually sent messages to.
At any rate - perhaps their entire client database got lifted and they took two years to notice? Nice work. {slow handclap}
Biting the hand that feeds IT
