Carey, like Yahoo and scores of other security experts, urged Yahoo users to change their email accounts' passwords immediately, then follow that with changes to other site logins that rely on the same email address/username and password combination.

But Carey went further, noting that Yahoo may provide more information on the breach later, which could necessitate a second password reset if the leak has not been totally contained.

"You should still go ahead and change it straight away, but you may have to change it a second time if it turns out the attacks are still entrenched in Yahoo's systems," Carey said.

Carey recommended that people install and use a robust password manager that can create complex passwords automatically, then store them for instant retrieval on multiple devices.

"I use ," said Carey, referring to a free open-source password manager for Windows. He also recommended for Windows, and said researchers at Rapid7 who worked on Macs relied on and .