Yahoo confirmed 400,000 user names from one of its services were hacked Thursday.
The company said that although the breached accounts include user names from Yahoo and other companies, only 5% of the accounts had valid passwords.
Yahoo said it is working to fix the vulnerability and is changing the passwords of the affected users. The company also said it is notifying other companies whose users may have been affected -- earlier we reported that they may include people who use AOL, Gmail, Hotmail and many others.
The hack happened Wednesday, according to Yahoo, which also said it was an older file for Yahoo! Contributor Network that was breached.
"We apologize to affected users," the company said in an email statement delivered promptly Thursday morning. "We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
A hacker group called D33D claimed it was responsible for the hack, and said it hoped Yahoo and the others involved would see this as a wake-up call rather than a threat.
Among the top five recurring passwords in the stolen batch were "123456," "password," "welcome," "ninja" and "abc123," according to David Harley, senior research fellow for ESET security firm.
If you have a Yahoo! Contributor Network account, it's best that you change your password on both that account and your email provider's account, too.