Yahoo's UK arm has been fined £250,000 ($335,000) by the UK Information Commissioner's Office (ICO) over a data breach affecting more than 500 million users which took place in 2014.
The incident was reported two years later.
The firm said "state-sponsored" hackers had stolen personal information, which included names, emails, unencrypted security questions and answers.
The ICO said Yahoo had failed to take appropriate measures to protect it.
Yahoo said it did not comment on regulatory action.
"The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data," wrote deputy commissioner of operations James Dipple-Johnstone in a blog.
"Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens' data being compromised."
Around eight million of the affected accounts were believed to belong to people in the UK.
The ICO's investigation also found:
- The firm failed to ensure that its Yahoo-owned data processor "complied with the appropriate data protection standards"
- It did not ensure that the credentials of employees with access to customer data were monitored
- There was "a long period of time" before the flaws which led to the breach were discovered or addressed
Verizon acquired Yahoo in 2017 and combined it with AOL to form a company called Oath.
The firm was investigated under the UK 1988 Data Protection Act which pre-dates the new European data regulation GDPR.
Tony Pepper, CEO of Egress Software Technologies, said the data breach would go down in history as "one of the most notorious" - both because of its size and the two-year period between the attack and the report.
"Although the fine has been a long time coming, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than the GDPR which has much tougher consequences for a breach," he said.