Yahoo is telling some of its users that hackers may have logged into their accounts, using a forged "cookie" which gives access even without a password.
According to CNET, the attack was originally announced in September, but has largely been overlooked until now as the revelation was included within a larger announcement about a Yahoo security breach considered the largest in history.
Yahoo said it had connected some of the cookie-based attacks to the "same state-sponsored actor" believed to be responsible for one of the other hack.
It's unclear why some of the users are receiving the notification now, months after Yahoo first disclosed the cookie attacks.