Better late than never, I suppose. Four years after hackers plundered millions of LinkedIn (LNKD) usernames and passwords, the company has decided to tell us what is going on, at last.
On Wednesday afternoon, users received an email titled “Important information about your LinkedIn account,” describing the massive 2012 hack and what the company is doing about it.
The short version of the email is something like this: “Yup, they hacked us all right. And, in case you haven’t changed your password since 2012, we’ve cancelled those older passwords. We’re working with law enforcement to protect you.”
LinkedIn also suggests users adopt some basic security hygiene:
While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well.
While the 2012 hack was widely publicized at the time, the reason news of it flared up again is because of reports last week that revealed the breach was much, much bigger than initially thought.
It turns out that the hack affected 117 million email and password combinations—not the 6.5 million reported in the past. Oh, and the whole batch of them are for sale on the so-called dark web.
Get Data Sheet, Fortune’s technology newsletter.
In its email, LinkedIn claimed that it “became aware” last week that the data stolen in 2012 was being made available online. This seems a bit of stretch—the whole point of stealing data is typically to sell it online—but we’ll take them at their word. And, unlike so many other LinkedIn emails, this one is definitely useful.
Oddly, the email did not include any acknowledgement or apology for the dreadful security practices used by LinkedIn in the first place. These included poor cryptography, such as failing to “salt” the data, which made it easier for hackers to unscramble users’ passwords.
On the other hand, as security expert Troy Hunt reports in a definitive account of the recent news, the 2012 breach is not the fault of the company’s current leadership team, who are simply trying to clean up the mess left by their predecessors.
You can check this site to see if your email is one of those that got stolen in the LinkedIn hack here (mine was). And, for goodness sake, stop using silly passwords like 12345, LinkedIn, or password.
