Troy Hunt, in a piece which includes advice for sysadmins, developers and people running online services:
There’s a whole range of things that need to fall into place for an attack to have been successful (see the final section of this blog) but nonetheless, it’s going to leave a lot of companies in a very tricky position when they know that both the potential for exploit and the knowledge of how to do it were both out there. Take Yahoo for example – what should they do in light of Mark’s documented example? Force everyone to reset their passwords? Tell customers their data may have been compromised? It’s a very, very dicey situation for them to find themselves in.