Rapid7 security researcher Marcus Carey said yesterday that the file published by D33Ds included 123 government email accounts -- ones ending with ".gov" -- and 235 military-related addresses (ending with ".mil"). Among the government email accounts, Carey found several associated with the FBI, the Transportation Security Administration (TSA) and the Department of Homeland Security (DHS).
Security experts have been scathing in their criticism of Yahoo, in large part because the passwords were stored in plain-text, making the hackers' job of exploiting the stolen accounts a breeze.
Yesterday, Mark Bower, a data protection expert and executive at Voltage Security, said, "It's utter negligence to store passwords in the clear."
Also on Thursday, Rob Rachwald, director of security strategy at Imperva, took Yahoo to the woodshed. "To add insult to injury, the passwords were stored in clear text and not hashed (encoded)," Rachwald wrote in a blog post. "One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide."
The LinkedIn breach Rachwald referenced came to light last month, and involved approximately 6.5 million encrypted passwords belonging to members of the networking service.
In its Friday blog, Yahoo again apologized to users affected by the password theft.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.