Yahoo! has agreed to pay $35 million as fine to resolve federal regulators' charges that the online pioneer deceived investors by failing to disclose one of the biggest data breaches that affected three billion users.
Personal data was stolen from hundreds of millions of Yahoo users in the December 2014 breach attributed to Russian hackers. The US Securities and Exchange Commission (SEC) said that the company, now known as Altaba, has agreed to settle charges.
Yahoo eventually acknowledged that the 2014 hacking attack and a separate one in 2013 brought affected all 3 billion accounts on its service.
According to the SEC's order, within days of the December 2014 intrusion, Yahoo's information security team learned that Russian hackers had stolen what the security team referred to internally as the company's "crown jewels".
There "crown jewels" were usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications, Inc, the statement read.
"We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company's response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case," Steven Peikin, Co-Director of the SEC Enforcement Division was quoted as saying by IANS.
The SEC statement said that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications.
"Instead, the company's SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches," it added.