A number of times in recent memory Yahoo has been subject to attacks using XSS and similar. One example of one that was exploited (there was a disclosure back in May, but that didn't have reports of active exploits): http://thenextweb.com/insider/2013/01/31/yahoo-mail-users-st...