In the latest installment of its multi-year breach saga, Yahoo is now contacting users whose accounts they believe were illegally accessed using the information stolen in the 2013-2014 breaches.

In the communication sent to the affected users, Yahoo stated that “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” Accessing the account can allow the attackers to steal additional personal or financial information not leaked in the original breach.

If you have not changed your Yahoo password and security questions recently, now is a good time to do so.

Not sure if your account info was stolen in the Yahoo breach or in one of the numerous other leaks? Check for free.