According to ABC News, some of those users were Gmail, Hotmail and AOL email account holders, meaning their information was also hacked.
Yahoo confirms as many as 450,000 email addresses and passwords got into the hands of hackers on Wednesday. The security breach targeted what the company said was an "old file" from the Yahoo Contributor Network, which is a content-sharing platform.
While Yahoo claims only 5 percent of the stolen passwords are valid, some computer security experts said the breach suggests the company was negligent in safeguarding the data.
"When that data is out there, it really is incumbent upon them to protect it wherever it might be and that wasn't being done," said Dr. Clifford Neuman, director of the USC Center for Computer Systems Security.
Neuman said the hackers, who call themselves the D33D Company, stole the un-encrypted passwords using an SQL injection, which is a tool used by hackers to extract data from vulnerable websites.
"The particular kind of attack that was exploited here is one that has been known for many years. We see it coming up again and again," said Neuman.
Yahoo on Thursday released a statement, saying, "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users."
But security experts said users need to protect themselves from potential breaches. Neuman suggests choosing complex passwords and never using the same password for every site. And if you are a Yahoo user now, the first thing you need to do now is change your password.
"More importantly, you need to change your password not just on Yahoo, but on online banking sites where a lot of users will use the same username and password on the online banking site that they use on a site like Yahoo. You should never do this," said Neuman.
The hackers posted a full text document online containing the usernames and passwords and said the breach should be a "wakeup call" rather than a threat to Yahoo.