Here are Vindu Goel and Nicole Perlroth for the New York Times:
Yahoo has made a steady trickle of disclosures about the 2014 hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log in to some users accounts without a password.
Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access Yahoo user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims.
If you or someone you know is still using Yahoo, you should change your password. If you use similar passwords for multiple web services (please don't this) then it is in your best interest to change them all.
At this point I think it's safe to say that you should probably be staying away from Yahoo in general. Who would have thought that we would be talking so much about emails this year? Let's all resolve to sign for a secure password site like 1Password, use 2-factor authentication and have a hack free 2017!