The investigation is being handled by the Securities and Exchange Commission, which in 2011 began requiring companies to disclose information about hacking risks or incidents that may affect investors in a "material" way. And it could become a major test case that lays down clearer expectations about when businesses must reveal that information, analysts told the Journal.
Opened in December, the investigation is in its early stages, according to the Journal, and while it could lead to an enforcement action by the agency, such steps are rare. An earlier SEC probe into a 2013 breach Target did not lead to a punishment, even though the incident affected tens of millions of customer accounts. The SEC declined to comment for this story.
Shortly after Yahoo made its discovery of the 2014 hack public, critics called on the SEC for a deeper look at the company's conduct. In September, Sen. Mark R. Warner (D-Va.) said in a letter to the agency that Americans had the right to know "what senior executives at Yahoo knew of the breach, and when they knew it."
Yahoo declined to comment for this article, pointing to regulatory filings that say the company is cooperating with government officials — including those from the SEC — examining the hack.
But the probe's implications stretch far beyond Yahoo's immediate business. It also raises fresh questions for the telecommunications giant Verizon, which is in the midst of a $4.8 billion deal to acquire the former Web titan.
"I think it's going to get a lot uglier for Yahoo going forward over the next year," said Jeff Kagan, an independent technology and telecom analyst.
Verizon declined to comment. But executives have voiced strong concerns about the hacks, signaling in October that they may have had a significant impact on Yahoo's core business. Analysts say that a concrete finding of that sort by Verizon could allow it to renegotiate terms or even abandon the purchase altogether.
Verizon aims to use Yahoo's massive online audience — which ranks near the likes of Google and Facebook — to drive ad impressions and improve its data targeting. But the company must now balance those potential gains against the possibility that Yahoo may discover even more data breaches, analysts say — posing new potential risks and liability to Verizon that could lead to reputational or even monetary losses.
"We are already seeing the short-term impact on the Verizon deal, but it will be many months and even years before we see the true extent of the damage caused by Yahoo's 1 billion account breach," said George Avetisov, chief executive of the biometric security firm HYPR.
Verizon had expected the deal to close sometime in the first quarter. But in its quarterly earnings report Monday, Yahoo said it now expects the deal to close "as soon as practicable" in the second quarter, citing "work required to meet closing conditions."
In the same report, Yahoo chief executive Marissa Mayer said that efforts to improve the company's security posture were ongoing. About 9 in 10 of the company's daily users have either already beefed up their account security by changing their passwords or taking similar steps, or never needed to in the first place, according to the earnings report.
The fate of the deal remains in doubt as Marni Walden, Verizon's president of product innovation and new businesses, said this month that she was unsure whether it would go through.
"I can't sit here today and say with confidence one way or another, because we still don't know," she told an investor conference.
Yahoo shares closed up 0.83 percent Monday.
Renae Merle contributed to this report.