It’s a cyber catastrophe. Yahoo on Thursday confirmed a massive security breach that saw hackers steal personal information for over 500 million accounts. Yahoo (YHOO, +2.98%) says a foreign government is to blame.
The incident is a big deal, since so many have a Yahoo account of some type or other — for email or finance or fantasy sports and so on. The fallout will have major implications for consumers and Yahoo’s still on-going merger with Verizon. Here’s a plain English Q&A about what we currently know.
What did the hackers steal?
They obtained consumers’ names, email addresses, phone numbers, birthdates and “hashed passwords” (more on that below). In some cases they also stole security questions and answers that would let the hackers access the account.
Get Data Sheet, Fortune’s technology newsletter.
Who are the hackers?
Yahoo would only describe them as a “state-sponsored actor.” In other words, a foreign country used its military or intelligence services to break into Yahoo’s systems. The most likely culprits, in order, are: China; Russia; North Korea.
So did the hackers get into everyone’s account?
Not necessarily. The good news is Yahoo used a type of cryptography called “hashing” to protect the passwords. This means that the hackers would, in some cases, have to use powerful computers to crack the passwords one at a time.
The bad news is that many people still use common passwords, and hackers typically use computer programs to test those first (too bad for those of you who still use “12345” or “password” or “Iloveyou”). Also, since Yahoo says some users’ security questions are compromised, the hackers will have an easy way into those accounts too.
What can I do to protect my account?
If you haven’t changed your password since late 2014, which is when the breach occurred, you should do so immediately. Yahoo also says it will be contacting affected users and asking them to supply “alternate means of account verification.” (This probably means you’ll be asked to replace those security questions with some sort of two-factor authentication.)
Also, keep an eye on any other accounts for which you may have used the same password. A common tactic is for hackers to take usernames and passwords they steal from one site, and then try to log in with them elsewhere.