Yahoo has sent out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo’s mail service that allowed an attacker—most likely a “state actor,” according to Yahoo—to use a forged “cookie” created by software stolen from within Yahoo’s internal systems to gain access to user accounts without a password.
Yahoo informed some users in e-mails this week that “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” Some users are receiving messages regarding possible breaches using the cookie vulnerability in 2014.
The Associated Press’ Raphael Satter reports that a Yahoo spokesperson acknowledged the company was notifying users of the potential breach of their accounts, but would not disclose how many users were affected.