Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

Yahoo hasn't had the best run when it comes to security breaches, and now the company has notified some users that hackers may have accessed their accounts without even needing a password.

Some users were notified that a "forged cookie" may have been used in 2015 and 2016 to access some accounts. Yahoo also said the forged cookies have since been invalidated.

The unauthorized access stems from the 500 million account breach Yahoo disclosed in September. Yahoo first alluded last October to the sneaky forged cookie method hackers may have used.

Related: Marissa Mayer Leaving Yahoo Board After Verizon Deal

Byers Market Newsletter Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox. This site is protected by recaptcha

"Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information," a company SEC filing said.

What is a Cookie?

We're not talking about a sugary treat.

When you go to a website, a cookie is a little token that is stored in your browser. Think of all the times you checked a box that said "keep me logged in" or "remember me." That's storing a cookie in your browser.

This allows the site to store some information and allows you to bypass efforts - such as logging in - each time you want to shop at Amazon or check your Facebook page or read an online subscription.

What is a Forged Cookie? Should I Be Worried?

A forged cookie is the same token that is stored in a browser; however, it's reverse engineered by the bad guys - tricking a website into thinking it was the original cookie.

"With that stored piece of data, an attacker could place that cookie on their own machine and then it would appear to Yahoo that browser had a cookie to bypass the login process," Shuman Ghosemajumder, chief technology officer of Shape Security, told NBC News.

Basically: Hackers could stay logged in to your account for as long as they wanted, without ever having to enter a password.