According to Ryan Barnett, director of application security research at Breach Security, which identified the security problem recently, it stems from a web application which automates the log-in procedure for the Yahoo Mail.
The Register newswire quotes Barnett as saying that the web application fails to adhere to the same security checks normally followed by the usual log-in page, enabling "some sort of water tunnel that the bad guys are walking right through".
As a result of the security loophole, hackers are using the insecure web applications to carry out brute force attacks on user passwords.
Once hacked, the Yahoo Mail accounts are reportedly being used to send out spam and malware, as well as encouraging email users to download trojans that encourage users to access their bank accounts online.
Yahoo is reported to be investigating the vulnerability and is expected to seal the loophole shortly.