Intruders at Yahoo Inc. not only stole personal information from more than 1 billion accounts, but accessed the company’s own software to produce “forged cookies” that allowed them to get into user accounts without a password.

Cookies are small strings of code that automatically save to website visitors’ phones and computers, often allowing them to skip the sign-in page so they don’t have to re-enter their credentials each time they go to the site. Cookies also underpin the online advertising industry by making it easier for companies like Yahoo to track people’s browsing habits and serve up targeted ads.

Forged cookies can exacerbate a security breach by allowing hackers to more convincingly impersonate another user—for example, by giving the false impression that the computer they are using is a familiar one. Forged cookies also allow an attacker to remain logged into a hacked account and monitor its activity.

On Wednesday, Yahoo said an unauthorized third party accessed the company’s “proprietary code to learn how to forge its cookies.” The company’s security chief, Bob Lord, said the spoofed cookies were tied to the hack of more than 500 million accounts revealed in September. Yahoo first described the exploit in a November securities filing.

Yahoo said it has invalidated the forged cookies and is notifying account holders who were affected in 2015 and 2016. A Yahoo spokeswoman declined to say how many of the hacked accounts were affected by the forged cookies.