In late 2014, state-sponsored hackers obtained account information (including names, phone numbers, security challenge questions with answers, and hashed passwords) for 500 million Yahoo accounts.
What is the Risk?
While the passwords exposed were hashed, weak or short passwords will be compromised over time by password cracking tools.
Despite the fact that Yahoo has invalidated them on their servers, exposed security questions and answers may be used to reset passwords for other services.
What Can I do?
Change Yahoo Password: If you haven't changed your password for Yahoo since 2014, it needs to be reset. If that password was used anywhere else, it needs to be reset there as well.
Enable two-step verification: When you enable two-step verification, a stolen password isn't enough to give a bad guy access to your account and data. Enable it for any account that supports it. Find out how at https://twofactorauth.org.
Use a password manager: Longer passwords are stronger passwords. Unique passwords limit the impact of a stolen password. The best way to create, store, and manage strong, unique passwords for all your accounts is a password manager. Harvard offers LastPass Personal Premium at no cost to Harvard Affiliates. Get started at http://security.harvard.edu/lastpass.
Yahoo Press Release: http://www.businesswire.com/news/home/20160922006198/en/