Yahoo is warning some customers that state-sponsored attackers have accessed their accounts by using a sophisticated cookie forging attack, which doesn't require obtaining user passwords.
The notice is a continuation of the company's response to a series of historic data breaches announced last year.
An email from Yahoo forwarded to ZDNet said:
"Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account."
A handful of others on Twitter also confirmed they had received an identical email notification.
Yahoo confirmed the notifications were genuine.
"The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders," a spokesperson confirmed.
It's not known how many customers are affected, though state-sponsored attacks are typically targeted and are in small numbers.
Yahoo said that hackers were later able to get access to accounts without needing passwords after stealing the company's source code used to generate cookies.
After learning of the attacks, Yahoo invalidated the cookies, effectively locking out the attackers.
Yahoo began sending out emails on Wednesday, as news broke that Verizon, which is buying the web giant, lowered its price for the company by $250 million as a result of the two hacks.
By comparison, the cyberattack on Target that exposed over 40 million credit cards cost the company about $162 million, after being offset by a $46 million insurance claim.
Yahoo faces continued questions by lawmakers, who this week criticized the company for failing to answer "many basic questions" about the two historic cyberattacks.
VIDEO: What you need to know about the Yahoo data breach