The company that owns the remnants of Yahoo has been fined $35 million for not immediately disclosing that Russian hackers stole personal data from hundreds of millions of accounts, the Securities and Exchange Commission announced Tuesday.

Altaba, all that remains of the tech company known as Yahoo, agreed to the fine without admitting or denying guilt in order to settle charges that it misled investors by failing to disclose one of the world’s largest breaches.

According to the SEC’s order, within days of the December 2014 intrusion, Yahoo learned that Russian hackers had stolen what its security team referred to internally as the company’s "crown jewels," meaning its usernames, email addresses, phone numbers, birthdates, encrypted passwords and security questions and answers for hundreds of millions of user accounts.

“Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors,” the SEC said.

The breach was not disclosed to the investing public until more than two years later in 2016, when Yahoo’s operating business was in the process of being bought by Verizon for $4.5 billion.

“We do not second guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” said Steven Peikin, co-director of the SEC Enforcement Division.

Jina Choi, director of the SEC's San Francisco Regional Office, added, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.”

When Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications, the SEC said.

Yahoo did not immediately share the information with its auditors or outside counsel and failed to maintain disclosure controls and procedures, the order said.

The SEC did not say what the hackers did with the information they obtained.