After trying multiple times to find a way to survive as a standalone entity, Yahoo finally convinced Verizon to buy most of the failing Internet company last year for $4.8 billion. But the sale process has been anything but smooth, and one of the biggest potential roadblocks was the news that the company was the target of two massive hacks that exposed the data of hundreds of millions of users.
Although the two attacks happened in 2013 and 2014, Yahoo (YHOO) didn’t disclose this information until last year—and most importantly, it didn’t divulge that news until after it had already signed the deal with Verizon (VZ). The telecom giant has since said it is re-evaluating the offer.
Now, to add insult to injury, the Securities and Exchange Commission has opened an investigation into the company’s failure to tell shareholders about the incidents, according to the Wall Street Journal. The securities regulator is just one of a number of federal and state agencies that has asked Yahoo for documents on the attacks, along with the Federal Trade Commission and the U.S. attorney’s office.
Get Data Sheet, Fortune’s technology newsletter, where this essay originated.
Under SEC rules, companies are supposed to disclose any and all information that might be “material” to investors, but there is no precise definition of that term. If the regulator finds the two massive data breaches were things Yahoo should have told its shareholders about, the company could be fined.
One investor that would probably have liked to know about the attacks sooner is Verizon. Since the news broke in December, all the telecom giant has said is that it is reconsidering its original offer. That could mean that it just wants a better price—or it could lead Verizon to walk away from the deal completely. In either case, Yahoo’s reputation will take yet another blow.