In addition, the breach reportedly contains hundreds of thousands of German and Chinese email addresses as well as thousands of username / password combos that appear to belong to employees from US banking, manufacturing and retail companies.
Hold Security apparently came upon this data directly from the hacker, who was selling the data set for the curiously low sum of less than $1. Holden instead told the hacker that he would post "favorable comments" about him in various hacker forums; that was enough to get the hacker to turn the data over. About ten days ago, Hold Security started informing the companies affected of the data breach; the company's policy is to return stolen data to the companies affected.
It's worth noting that while tens of millions of Gmail, Yahoo and Hotmail accounts were affected, the total percentage of accounts compromised compared to the total in circulation is relatively small. Google recently announced that more than one billion people are using Gmail, for example. But given people's propensity to reuse passwords, this breach could have wider-reaching effects. Either way, better safe than sorry -- if you haven't changed your password recently, now is as good a time as any. Also, turn on two-factor authentication!