The breach had ramifications far beyond Yahoo, because the portal allowed people registering with the Contributor Network to use credentials from other sites to log in. Carey identified some of the other sites as Google's Gmail, Microsoft's Hotmail, AOL, Comcast and Verizon.

A hacker group took credit for the breach, and posted a statement on its website saying the attack was a warning. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the group said, according to media reports. "There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly."

The hackers claimed to use a common attack method called a SQL injection to access the database that fed the server hosting the site. A SQL injection typically involves sending commands through a search field or a URL to break into a poorly secured site.

Tony Perez, chief operating officer for Sucuri, who used to work with defense contractors in developing secure applications, said Yahoo's overall security lapses were a disservice to its users. "It makes you wonder. If a property like Yahoo at that scale is doing that, and they did it for their Yahoo Voices, what's the probability of that also occurring in their other properties?"

The Yahoo breach occurred a month after professional social networking site LinkedIn acknowledged that and posted on a Russian hacker forum. In that case, the passwords had been stored using a cryptographic method called hashing.