This just in via our Canadian correspondent Hankers:
Yahoo has been contacting some of its users to warn them that their accounts have been compromised using "forged cookies". It's the latest security embarrassment for the company, which revealed in September that it had suffered a data breach two years earlier that affected 500 million user accounts; and admitted in October that a second security incident had affected around a billion accounts...
"The investigation has identified user accounts for which we believe forged cookies were taken or used," a spokesperson for the company said. "Yahoo is in the process of notifying all potentially affected account holders."
It's not yet clear how many people have been targeted, but Yahoo said that it began sending out the warnings to users on Wednesday. As with the 2014 breach that it disclosed in September, the company is claiming that "state-sponsored" parties are behind the latest attacks.
Yahoo confirmed to ZDNet that the emails sent to those customers are genuine. It explained that hackers had stolen the source code that it uses to generate cookies, and that it had invalidated the cookies after learning of the latest attacks." - Yahoo
So, if you receive an email from Yahoo, it's valid. I would change my password (regularly) but, the forged cookie has been invalidated, in the meantime, by Yahoo.
Sources:
https://www.neowin.net/news/yahoo-is-warning-users-that-their-accounts-have-been-compromised-using-forged-cookies
http://www.zdnet.com/article/yahoo-warning-users-that-hackers-forged-cookies-to-access-accounts/ - original notification.