Commencing 20 May 2008...
I did some investigation for a client who had evidence to suggest that his Yahoo account had been exploited (emails being sent to contacts in his address book, purportedly from him). My conclusion at the time was that there was an API in existence (for developers) which could be used to run a dictionary attack on Yahoo account logins without either the user being aware, or Yahoo locking them out.
This Yahoo controversy has been going on a lot longer than everyone is making out.