The U.S. Securities and Exchange Commission has launched an investigation into whether Yahoo Inc. should have disclosed a data breach to its investors earlier.

According to The Wall Street Journal quoting people familiar with the matter, the SEC opened the investigation in December and has issued requests for documents on the grounds that Yahoo may have breached civil securities laws in holding back information that may have had an effect on investors.

Yahoo revealed in September that more than 500 million user accounts had been hacked by a “state-sponsored actor.” It said the data did not include unprotected passwords, payment card data, or bank account information, and that the passwords were primarily bcrypt hashed. However, as SiliconANGLE reported at the time, the passwords in the user data that appeared on the dark web were MD5-encrypted, meaning that they could be easily decrypted and are nearly the same as being in unencrypted cleartext.

In December Yahoo confessed to a second hack of more than 1 billion accounts in a breach that dated back to August 2013, claiming once again that no payment card data or bank account information was compromised.

The SEC’s interest lies with the first disclosed hack last September as Yahoo has admitted that some employees were aware of the hack as early as 2014, the year the hacking occurred. Yahoo has not yet explained why it sat on the hacking information for two years prior to disclosure, given that its decision to go public with the information was likely prompted by the hacked data being made available for download from the dark web.

It’s not clear from reports how long the SEC investigation will take, but it’s said to be in its early stages. The case is notable because as the WSJ notes, the SEC “has never brought a case against a company for failing to disclose a cyberbreach, given the blurriness of when an issue might be ‘material.’” It’s also an unusual case in scope and timing given that there have been many other hacks in the last 12 months, such as Ashley Madison, Target and Dow Jones, that had not been launched so quickly.

Yahoo hasn’t provided any details on the investigation, saying only that it’s cooperating with “federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York.”

Image credit: Jake Widsen/Wikimedia Commons/CC 1.0