So it's looking like simple social engineering against a single employee was all it took for Yahoo's billion users to have their security breached. This sort of attack is difficult to prevent if individual employees aren't on their guard. No amount of training can legislate against that one unguarded moment, that mistake by a targeted person.
Yahoo will pay the penalty. Initially that's a $400m reduction in its sale price to Verizon. Whether there will be further consequences remains to be seen.
It's a cautionary tale for those who rely on other services too. Have a password manager which syncs your password file across devices? You might be next.
Password managers offer lots of convenience, and for those who struggle with the task of managing passwords across multiple services, they can be something of a godsend.
However if I were the sort of person keen to get their hands on user credentials that would unquestionably be my first point of attack. One win gets you the keys to the whole village.
If you do need to use a password manager I would strongly suggest you select one that keeps its password file locally and doesn't do any synchronisation. Store it on a device that is well locked down (your phone seems the best bet) and make sure the local password is strong.
There's no worse feeling than finding out one of your accounts has been hacked. Except when all of your accounts have been hacked.