Yahoo is warning customers that hackers may have been able to break into their accounts without even stealing their passwords.
The attack, which has been attributed to the same “state-sponsored” hackers that were blamed for breaking into over a billion Yahoo accounts last year – the biggest hack in history – was effective between 2015 and 2016.
It was first disclosed by the company last year, but users have been receiving notifications about it this week.
“Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password,” reads the company’s message.
“Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
Forged cookies can allow a hacker into an account without having to re-enter a password.
Yahoo says it invalidated the cookies when it discovered the hack, but hasn’t yet revealed how many users were affected by it.
“The investigation has identified user accounts for which we believe forged cookies were taken or used,” said a Yahoo spokesperson. “ Yahoo is in the process of notifying all potentially affected account holders.”
It’s the latest serious blow to the company’s reputation.
In 2016, it announced that cybercriminals breached over 500 million accounts in 2014, only to follow that up with news of the billion-account hack, which took place in 2013.
The company is in the process of being sold to Verizon, which reportedly wants to reduce the agreed $4.8 billion fee by around $250 million.