The story comes from the Wall Street Journal's cadre of anonymous people familiar with the matter, who say that the investigation is at its earliest stage. The paper says that the SEC is looking to use Yahoo as a very public whipping boy for its potential refusal to make a material disclosure.

Back in 2011, the commission issued vague guidance about how, and when, companies should make declarations about their data being breached. Target, for instance, took a couple of weeks to announce its wide-ranging 2013 breach that involved people's credit card numbers.

At the time, the SEC found that delay to be reasonable, but there's a difference between a couple of weeks and the several years it took for Yahoo to come clean. One question that will be asked is how much Yahoo executives knew and understood about the 2014 breach when it came to their attention.

After all, plenty of things happened between the company finding out about the deal and when it chose to disclose that information to the public. The fact that Verizon had agreed to buy the business in the summer, but this rather material news was held back until fall and winter doesn't, uh, look great.