Yahoo is facing security concerns after they detect potential malicious activity on some users account between 2015 and 2016.

According to the latest development in the internet company’s investigation of a mega-breach, it is exposed that 1 million user’s become the hacker victim several years ago.

On Wednesday Company started notifying its users that their accounts had potentially been compromised. But they remain mum on the number of the account affected.

The catastrophic breach raised questions about Yahoo’s security and destabilised the company’s deal to sell its email service, websites and mobile applications to Verizon Communications.

A warning message sent to Yahoo users Wednesday read: “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” Some users posted the ones they received to Twitter.

It was not immediately clear how deeply connected the malicious account activity was to the two record-setting hacks of users’ data Yahoo disclosed last year. The company said in December that the problem with forged cookies — data strings used to connect users with websites — had been identified separately from the firm’s probe into the hacks. But Yahoo said the state-sponsored actor it believes responsible for the smaller of the two huge data breaches was involved in some of the forged-cookie intrusions.

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” Yahoo said in a statement Wednesday. “The investigation has identified user accounts for which we believe forged cookies were taken or used.

“Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”

Yahoo’s security investigations are nearly finished, and the firm has notified a “reasonably final list” of affected users about the cookie-related compromises, a person familiar with the situation said Wednesday.