A few years ago, around 2000, maybe 2001, I signed up with a yahoo account. This was so I could gain access to the yahoo games system and try out word racer. When I signed up I had to give yahoo an email address to confirm the account with. I use custom crafted email addressses which encode the site's name in it so I can filter out companies that refuse to honor their unsubscribe/stop sending me junk options.
Other than the initial email to confirm the account, that address has never been used for anything--in general I use these addresses as receive only. And kindly, yahoo never used it again to send me spamvertising. Also, I haven't played a yahoo game in about 3, maybe 4 years. Today, however, I received a spam to that address. This spam was clearly illegal junk spam, a 419, and so it clearly wasn't condoned or sanctioned by yahoo, however it arrived at an address that existed for a one-time use to receive an email from Yahoo, and then again two years later for a password recovery (yeah, I forgot it).
This means that the existence of this address was only recorded in two places, my email archives in which the original was saved, and yahoo's internal databases. Therefore, since my systems have not been compromised (I manage internet servers for a living, and track all activity in and out of my boxes), this means that someone with access to Yahoo's internal listings of email addresses has sold/made available that list to illegal scammers. Not good.