Yahoo has been contacting some of its users to warn them that their accounts have been compromised using "forged cookies". It's the latest security embarrassment for the company, which revealed in September that it had suffered a data breach two years earlier that affected 500 million user accounts; and admitted in October that a second security incident had affected around a billion accounts.
In an email received by some of Yahoo's users, it said:
"Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account."
Yahoo confirmed to ZDNet that the emails sent to those customers are genuine. It explained that hackers had stolen the source code that it uses to generate cookies, and that it had invalidated the cookies after learning of the latest attacks.
"The investigation has identified user accounts for which we believe forged cookies were taken or used," a spokesperson for the company said. "Yahoo is in the process of notifying all potentially affected account holders."
It's not yet clear how many people have been targeted, but Yahoo said that it began sending out the warnings to users on Wednesday. As with the 2014 breach that it disclosed in September, the company is claiming that "state-sponsored" parties are behind the latest attacks.