[rll]

That's not a Yahoo hack though. When that happens it is almost always your local machine that has been breached by a virus which simply reads the locally stored contact list. And to answer your question, no, it is not a regular occurrence for Yahoo, or any of the major players, to have their servers hacked.

[syntheticnature]

A number of times in recent memory Yahoo has been subject to attacks using XSS and similar. One example of one that was exploited (there was a disclosure back in May, but that didn't have reports of active exploits): http://thenextweb.com/insider/2013/01/31/yahoo-mail-users-st...

[chaostheory]

It may explain it for other users, but at the time I hadn't logged into any yahoo service for months.

[chaostheory]

To my knowledge, my machine is secure. It wasn't Windows and I had both anti-virus and a firewall active. For one thing, what made this strange was that I haven't even logged into Yahoo for months (probably close to a year) when this happened, repeatedly.

[nitrogen]

Another possible explanation is password reuse on a site that was breached.

[chaostheory]

I don't reuse my passwords.

[danielweber]

Could also be password guessing; lots of people use the "common word + number" pattern for their Yahoo! passwords.

[chaostheory]

If I remember correctly it was a random alpha-numeric password with both different cases and a special character or two, and I've never used the same password on a different service.

All I know is that I've never had this problem on competing services.

[ryan-c]

I've found XSS bugs that allow full account takeover being actively exploited on Yahoo! a couple of times. They have a lot of legacy crap that was written 15-20 years ago.