It’s a cyber catastrophe. Yahoo on Thursday confirmed a massive security breach that saw hackers steal personal information for over 500 million accounts. Yahoo YHOO says a foreign government is to blame.

The incident is a big deal, since so many have a Yahoo account of some type or other — for email or finance or fantasy sports and so on. The fallout will have major implications for consumers and Yahoo’s still on-going merger with Verizon. Here’s a plain English Q&A about what we currently know.

What did the hackers steal?

They obtained consumers’ names, email addresses, phone numbers, birthdates and “hashed passwords” (more on that below). In some cases they also stole security questions and answers that would let the hackers access the account.

Get Data Sheet, Fortune’s technology newsletter.

Who are the hackers?

Yahoo would only describe them as a “state-sponsored actor.” In other words, a foreign country used its military or intelligence services to break into Yahoo’s systems. The most likely culprits, in order, are: China; Russia; North Korea.

So did the hackers get into everyone’s account?

Not necessarily. The good news is Yahoo used a type of cryptography called “hashing” to protect the passwords. This means that the hackers would, in some cases, have to use powerful computers to crack the passwords one at a time.

The bad news is that many people still use common passwords, and hackers typically use computer programs to test those first (too bad for those of you who still use “12345” or “password” or “Iloveyou”). Also, since Yahoo says some users’ security questions are compromised, the hackers will have an easy way into those accounts too.

What can I do to protect my account?

If you haven’t changed your password since late 2014, which is when the breach occurred, you should do so immediately. Yahoo also says it will be contacting affected users and asking them to supply “alternate means of account verification.” (This probably means you’ll be asked to replace those security questions with some sort of two-factor authentication.)

Also, keep an eye on any other accounts for which you may have used the same password. A common tactic is for hackers to take usernames and passwords they steal from one site, and then try to log in with them elsewhere.

Yahoo Is Expected to Come Clean About a Massive Data Breach

Why did Yahoo take so long to warn everyone?

Good question. It’s currently unclear when Yahoo learned about the attack. A news story in early August described how a hacker was trying to sell Yahoo accounts on the Internet, though this doesn’t mean the earlier episode is connected to the mega-breach announced on Thursday.

All Yahoo has said so far is that a “recent investigation… has confirmed the breach.”

What does this mean for Yahoo?

It’s not good. For one, its failure to tell Verizon VZ (which is in the process of buying the company) could jeopardize the merger. And it won’t be long before a gaggle of class action lawyers start suing Yahoo over the breach. Federal and state regulators will likely launch investigations, and possibly demand fines or penalties from the company.