If I remember correctly it was a random alpha-numeric password with both different cases and a special character or two, and I've never used the same password on a different service.

All I know is that I've never had this problem on competing services.

I've found XSS bugs that allow full account takeover being actively exploited on Yahoo! a couple of times. They have a lot of legacy crap that was written 15-20 years ago.