Well, its real.
There's a clear conversation we need to have about these so-called "data brokers" in that the concentration is a problem and unlikely to go away without strong legislative action and criminal penalties for breaches.
Civil fines won't do it because they'll be dodged and second, in a breach of this size it doesn't matter how you try to fine someone -- you literally can't fine them enough to compensate for the problem.
This much is clear: If you haven't locked your credit file you had better do so right now. Go to any of the bureaus, sign in, pass their authentication and then put a freeze on your credit file. Then repeat at the other two. The good news is that a number of years ago Congress passed a law to make this free.
That won't stop all of the identity theft game but it will stop a lot of it.
What's in the breach? Names, physical (home) addresses, in some cases phone numbers and dates of birth and of course social security numbers. One of the more-common "prove you're real" things is to ask for a former address. That's now worthless with this file out there as any criminal can get a highly-accurate list of former addresses going back at least 30 years. Correlation analysis is good enough with a trivial amount of information (e.g. a state you lived in during a given period of time) to "sift" duplicates and thus discern your SSN too among the various records, so SSN + former addresses is no longer of any use in verifying identity.
I cannot verify with any sort of certainty how new the data is (that is, how far back does it end) and it appears these are billing address records. So no, it's not everyone in the US and everywhere everyone has ever been or lived but it is a very large set of data including addresses, dates of birth and social security numbers.
This breach is crazy-eyed simply due to its size and how far back it goes. The OPM breach of a number of years ago was likely far worse simply because that was Federal Government employees that could quite-easily be discerned as to their likely role and that's bad news from a information security perspective.
The underlying reality of all of this?
IT security at firms and the government alike (as demonstrated by the OPM breach) sucks.
The take-away for ordinary people to reiterate what I said up above: Set up logins at all three bureaus and place a security freeze on your credit report. Make absolutely certain the passwords you use for them are both very strong and not used anywhere else (including the other two.) Why? Because "verification" in most places including the credit bureaus is usually one of address + SSN + phone number/email or similar and that data is in there so if you don't have an account set up someone else can in your name, they can use a different email address to get the verification code and then lock you out of your own credit report and security freeze capacity and/or steal your credit report which includes unmasked revolving account numbers. The only defense to that given the public nature of this data file and what it is includes is to have that set up yourself at the bureaus with a password only you have which precludes someone else from doing that to you.
One final point: It has come to my attention that there are a few sites out there "offering" to check if you're in this data breach. Do not, under any circumstances, put personal information into any such site -- nothing, ever, period. They probably do have the files (as noted this is wildly publicly-available) but doing that is confirming its accurate, giving whoever owns that site even more correlating information about you and begging for trouble. Don't do it; just assume you're in there because you probably are.