The Basic Facts
Yahoo announced that it had a data breach in late 2014 and 500 million users’ account information was stolen. The account information may include names, email addresses, telephone numbers, date of birth, passwords (most encrypted with bcrypt, but apparently not all), security questions, and security question answers.
People who have Yahoo-based services should immediately change their passwords, change their security questions and answers, not use the same password on multiple accounts, and implement dual factor authentication where available.
The Message in the Message
In its notification message, Yahoo subtly invokes the “it’s not our fault, we were the victim of a state-sponsored actor attacking us” defense. I do not blame Yahoo, it works. It uses the words “state-sponsored actor” twice in the first paragraph and twice in the fourth paragraph: