According to US security firm Trustedsec, the attack originated from the servers of Yahoo Voices, a user-generated content platform launched after Yahoo acquired Associated Content in May 2010 for $100m.
The service is claimed to have more than 600,000 contributors, so the hack could have affected more than two thirds of the user base (although it is unclear how many of the accounts are actually active).
Similar attacks have been reported on Android Forums and Formspring, but it is understood that in those cases the passwords were encrypted.
Users of those services are still being advised to change their passwords immediately.
Security experts said that the Yahoo Voices attack is the most concerning because the hacker could get free access to the passwords and the email addresses.
A group calling themselves "the D33Ds company" has reportedly claimed responsibility for the attack.
In a statement, web giant Yahoo said that it was "currently investigating the claims of a compromise of Yahoo! user IDs".
The company also encouraged users to "change their passwords on a regular basis".
Yahoo has not yet said which part of its network was affected by the hack.
But TrustedSec said that the compromised Yahoo passwords were connected with a variety of email addresses originating from yahoo.com, gmail.com and aol.com.
The organisation said that hackers used the technique of SQL injection to steal the sensitive information from Yahoo's database.
"The most alarming part of the entire story was the fact that the passwords were stored entirely unencrypted," the firm said in its blog.
Security firm Impervia claims that the compromised Yahoo database could have contained private data, such as names, addresses, date of birth and even phone numbers.
Separately, social network Formspring disabled almost 30 million passwords after nearly 420,000 of them were posted online by hackers.
In a blog post, the three-year-old company said that the breach had occurred after someone had hacked into one of its San Francisco-based servers.
"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach," said the firm.
"We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.
"We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security.
"We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again."