Yahoo has warned customers that cyber attackers may have compromised their accounts in the past two years, finally alerting them about malicious activity it has known about for months.

The warning, which has been issued to affected customers, says that hackers may have been able to access their accounts without knowing the password. The attackers are believed to have stolen Yahoo's source code and used it between 2015 and 2016 to create forged cookies, allowing them to login to users' accounts without their details.

"We are writing to inform you about a data security issue that involves your Yahoo account," the warning from Bob Lord, Yahoo chief information security officer, begins. "Our outside forensics experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password.

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 and 2016 to access your account."