Yahoo!
Yahoo!Reuters

The US Securities and Exchange Commission (SEC) is probing if Yahoo should have reported the 2014 data hack – which the company disclosed in September 2016 – and a previous data breach earlier to investors. 

Yahoo to be renamed as Altaba Inc, but there's a catch

In September last year, Yahoo blamed "state-sponsored" hackers for the 2014 incident wherein about 500 million user accounts were compromised and said it could be the largest-ever theft of personal user data. In December 2016, the internet company disclosed that in yet another incident around 1 billion of its accounts were hacked in August 2013. 

The SEC is investigating whether Yahoo's two massive data breaches complied with civil securities laws, the Wall Street Journal reported, citing "people familiar with the matter."

The US markets regulator had in December issued requests for documents as the agency requires companies to disclose cybersecurity risks as soon as they are determined to have an effect on investors.

Last year, Yahoo detailed in a November quarterly filing that it was "cooperating with federal, state and foreign" agencies, including the SEC, that were seeking information and documents about a "security incident and related matters."

Yahoo has faced questions about when exactly it knew about the 2014 cyber attack it disclosed in September 2016 because the company has so far never explained why it took two years to make the information public and who took the decision not to go public sooner. 

The investigation is in its early stages and it's too early to say whether it will result in any public action, the WSJ report stated. 

Yahoo is expected to report its fourth-quarter earnings on Monday after the market hours.

In early January, search engine giant Yahoo announced that the company is in the final stages of a merger with American telecom giant Verizon.