Altaba, the holding company formed to carry the remains of Yahoo after it sold its core business to Verizon, has agreed to pay a $35 million fine to the Securities and Exchange Commission for Yahoo’s failure to quickly inform users about several massive breaches.

Hackers stole the data from all 3 billion Yahoo accounts as well as some personal information in 2013. A separate 2014 incident affected 400 million Yahoo accounts. In the 2014 breach, hackers forged cookies that enabled them to log into targeted accounts without obtaining the passwords.

Yahoo didn’t disclose the breaches until late 2016, after its sale to Verizon was already underway. Verizon ultimately negotiated a $350 million decrease in the acquisition price, due to Yahoo’s poor cybersecurity and incident response.

Steven Peikin, co-director of the SEC Enforcement Division, said: “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”

The Securities and Exchange Commission’s case marks the first time it has ever gone after a company for failing to disclose a cybersecurity breach. Altaba agreed to settle without admitting or denying any wrongdoing.