InfoArmor has published an extensive report on the Yahoo! breach. They conclude that two distinct criminal hacking groups were involved, along with a third black market reseller. The groups that stole the data, InfoArmor says, sold them at least three times, once to a "state-sponsored actor."
It's worth noting that "state-sponsored" can include a wide variety of groups in addition to government agencies and services themselves: activists, terrorist organizations, crime syndicates and an array of hired guns can all, under the right circumstances, legitimately be considered "state-sponsored." Thus "criminal" and "state-sponsored" are far from mutually exclusive, and states are using more fronts and cut-outs in cyberspace (an updated form of traditional information operations and espionage tradecraft).
Other lessons being drawn from the breach include the "toxicity" of personal data, which draw hackers' attentions (although it's unclear how companies that depend upon monetizing such data can avoid the toxin that comes with them) and the difficulties inherent in recovering from a breach that requires a massive password reset. Since security questions were also compromised, Wired suggests it's time to start telling lies in setting up one's answers.
The FBI warns Congress of more (presumably Russian) attempts to access state voter registration databases. Many take comfort from the disparate and disconnected US state-run voting systems, but such comfort is cold: one needn't globally hack an election to alter it. The power-grid analogy is instructive—a wayward squirrel or snake won't take out a continental grid, but it can still have major effect.