Same as the December breach. https://www.bit-tech.net/news/bits/2017/02/17/yahoo-warning-forged-cookies/1
This was an obvious problem around that time that Yahoo decided to ignore at least 5 people I know and delt with had there account accessed in this way, they would login to your account without password scan all emails and contacts for addresses and then send spam email to each one and you would only know it has happened when you get the mail delivery fail messages and when yahoo had a login history page you could see it from there one from the yahoo mail app then website access Changing the password or even 2fa enabled did not prevent them from doing it again 2-3 more times