(UPI) — Yahoo is warning some users their online accounts may have been attacked by a “state-sponsored attacker” between 2015 and 2016 and linked to a massive data breach reported last year.

Yahoo confirmed Wednesday it notified users about the breach but declined to say how many accounts were affected.

Bob Lord, Yahoo’s chief information security officer, told users that a forged cookie may have been used to access their accounts.

“Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” the email read. “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account. We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016.”

Yahoo had reported the data breach affected more than 500 million users in late 2014. Three months later, in December, Yahoo reported that data of more than 1 billion user accounts were stolen in August 2013.

In the latest warning, the company said the hackers gained access to users’ accounts without passwords.

“We invalidated the forged cookies and hardened our systems to secure them against similar attacks,” Yahoo said in the email. “We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”

On its website, Yahoo explains steps to take if the company informed them of breaches.

Yahoo recommended that users avoid clicking on links or downloading attachments from suspicious email messages. The company asked users to consider adopting its authentication tool that eliminates the need for a password.

The warning comes as Verizon Communications, in negotiations to buy Yahoo, may be seeking a discount of $250 million because of the data breaches.

