Re: not quite a financial institution or communications provider.
Credentials apparently weren't exposed, just the data protected by those credentials. So no actual passwords for reused elsewhere. Worst case is the exposed data that might be used to narrow the search space for possible credentials for testing against other login portals. ie. combining names/initials with birth-date/years.
Something I would really like to see is real world numbers on just how many average people are pwned through data breaches like this vs. top 100 password attacks on global user spaces. I strongly suspect that people who use even very simplistic password generation algorithms based on personal data/interests fare better than those who chose "clever" passwords like "drowssap".
Simple truth is that unless someone has a good reason to target you personally, any non-trivial password is probably good enough. A six letter word with personal significance + any two digits is likely to be enormously stronger than a 1337speak variation of "Millenium Falcon" despite the search space being potentially a few million times smaller.
Over the past few years we've seen a plethora of articles reporting on data breaches of so many millions of credentials, with the latest being some 700 million unique username/password credential pairs. So what does this really mean to the average person? The simple answer is, probably not a great deal, because unless you're Elon Musk or otherwise special in some specific way, you individually are not worth the effort of a targeted attack.
The website Have I Been Pwned is a semi useful tool for determining if somewhere there exists a site that you've provided credentials to has ever been breached, but I think it would be far more useful to be able to simply enter a password and be told if ten or ten thousand others have had the same idea, regardless of site.