Yahoo may be about to discover that no matter how bad things are, they can always get worse. After last year’s revelations that it suffered two massive data breaches affecting over one billion users, the company is now under investigation by the Securities and Exchange Commission for not disclosing the hacks to investors earlier.

The Wall Street Journal reports that the SEC opened the investigation in December, according to people familiar with the matter. With Yahoo still in the process of being acquired by Verizon in a $4.8 billion deal, the Commission has requested documents from the troubled firm to determine if its disclosures regarding the breaches complied with civil securities laws.

Back in September last year, Yahoo said personal data from 500 million users had been stolen by what it believed was a state-sponsored attacker in late 2014. Unprotected passwords, credit cards information, and banking data weren’t stored on the affected system, but the passwords that appeared on the dark web were MD5-encrytped, making them easily decryptable.

Two months later, Yahoo announced that it had suffered another data breach by an “unauthorized third party,” this one dating back to August 2013 and affecting more than one billion users. The two hacks reportedly caused Verizon to rethink the deal, and it is now apparently asking for a $1 billion discount.

Yahoo admitted that some of its employees knew about the first hack as early as 2014, but hasn’t explained why it took two years to publicly reveal the breach.  Democratic Senator Mark Warner asked the SEC to probe the attack after it came to light in September.

As noted by the WSJ, the SEC “has never brought a case against a company for failing to disclose a cyberbreach, given the blurriness of when an issue might be ‘material’.” News of the investigation has seen Yahoo’s share price fall.