Yahoo says 500 million accounts had user data stolen in 2014. In terms of the number of accounts, this may be the biggest data theft ever. On the other hand, it is easier to acquire a Yahoo account than almost any other Internet account, so the magnitude of the problem is not as big as the raw numbers would suggest. I ended up with at least five Yahoo accounts over the years, mostly through Yahoo’s acquisition of other services, though I had the good fortune to close all of them before the massive data breach in 2014. Yahoo itself closed hundreds of millions of inactive accounts in what, in retrospect, looks like a sensible precaution.
Hashed passwords were among the data stolen, so if you had a Yahoo password in 2014 and are still using the same password, you should change that password soon. If you use the same password anywhere else, change it there too. If you have several Yahoo accounts that you have kept open even though you no longer use them, consider whether you will be more secure if you close them now. It was only because I closed my Yahoo accounts years ago that I don’t have to worry about the current data breach.
The Yahoo data theft is believed to be the work of a national government, though Yahoo either doesn’t know or can’t say what country was involved. Multiple countries in recent years have been collecting user passwords wherever they can find them because half of Internet users reuse passwords at multiple sites, potentially giving spies access to highly sensitive information. The systematic theft of passwords is one of the reasons why it is safer to use a new password at every domain where you have an account.