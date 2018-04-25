Hector Mata / AFP/Getty Images

Yahoo's cybersecurity failures continue to haunt the company -- now to the tune of $35 million.

The Securities and Exchange Commission announced on Tuesday that Altaba, the company formed from the ashes of Yahoo's sale to Verizon, has agreed to pay a $35 million penalty to settle charges that it failed to disclose a massive data breach from December 2014.

That breach affected at least 500 million users in a state-sponsored attack, and was considered the largest data breach in history until Yahoo announced that all 3 billion accounts on the website had been hit in a separate hack.

In the 2014 breach, Russian hackers stole data on 500 million accounts, including phone numbers, passwords, birthdates and email addresses. This cyberattack was not public knowledge until 2016, when Yahoo announced it in a press release.

"Yahoo's failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach," Jina Choi, the SEC's San Francisco regional office's director, said in a statement.

Altaba declined to comment for the article.

Disclosing breaches to the public in a timely manner is important, for both investors and the people using the platform. It ensures that people can take precautions with their digital lives before it's too late, but companies have been slow to announce these hacks.

Multiple tech companies have faced scandals over failing to disclose breaches in a timely manner. In March, the Pennsylvania attorney general slammed Uber over waiting more than a year to disclose its breach. Facebook's data scandal, while not a breach, was criticized because it took up to two years for the public to be notified after Facebook learned about the issue in 2015.

"I've been saying for years that Yahoo's failures to notify customers and investors about its massive data breach didn't pass the smell test," Senator Mark Warner, a Democrat from Virginia, said in a statement. "Holding the company accountable is important, and I hope others will learn you can't sweep this kind of thing under the rug."

The SEC launched its investigation in January 2017, arguing that Yahoo mislead investors by keeping quiet about its breaches. The revelations came as Yahoo was attempting to close a $4.83 billion acquisition deal from Verizon. The cybersecurity shortcomings lead Verizon to knock off $350 million from the deal, as well as splitting legal and financial responsibilities related to the hack.

In a separate SEC filing from 2016, Yahoo admitted that some of its employees were aware of the 2014 breach, but failed to disclose it.

The Justice Department has indicted the four hackers responsible for Yahoo's 2014 hack, though the attackers behind the breached 3 billion accounts are still unknown. Marissa Mayer, Yahoo's CEO during the breaches, apologized to Congress last November, but didn't explain why it took so long to announce the attack.

