Would following their advice of changing your password actually help in this situation? While it's a good practice in general, if I'm understanding this right, the attacker never has your password.
It's an xss attack that takes advantage of the fact that you're logged in, they don't need your password. The best way to avoid it is to only log into your account in a separate browser that's in incognito mode. That, or log out of your Yahoo account immediately after you've done your business with them and don't hit any other web sites while you're logged in.
This is what I'm wondering as well. My wife's account was a part of this hack yesterday, though oddly she never uses the web interface. Maybe she was logged in regardless. She changed her password afterwards, but maybe the solution is to just log out of your account to kill that auth session cookie?
Changing your password is the best way to invalidate your Yahoo! login cookies (which is what's apparently been stolen based on comments). To verify with Yahoo! mail, log in with two browsers, change password on one and you'll be forced to reverify with the other.