INTERNET HAS-BEEN Yahoo has been slapped with a $35m fine for its failure to disclose a massive 2014 security breach.

The hefty fine is first the Securities and Exchange Commission (SEC) has levied against a public company for failing to disclose a cyber breach.

It comes after Yahoo failed to properly disclose details of its a 2014 hack that resulted in the theft of more than 500 million users' details, including usernames, email addresses, encrypted passwords, birthdates, phone numbers, and security questions and answers.

That breach is separate from a 2013 hack, which is now known to have compromised all three billion Yahoo accounts.

The SEC said this week that the company's information security team knew about the 2014 intrusion, which has been attributed to Russian hackers, and reported it to senior management and the legal department.

However, it says that Yahoo failed to investigate the breach and report it to investors for more than two years, and only disclosed details of the hack when Verizon said it wanted to buy the company in 2016.

"Yahoo's failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach, said Jina Choi, director of the SEC's San Francisco Regional Office.

"Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors."

Steven Peikin, co-director of the SEC's Enforcement Division, added: "We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company's response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case."

Last year, the US Justice Department formally charged two Russian spies and two criminal hackers in connection with the 2014 hack. µ