Democratic Senator Mark Warner has asked the US Securities and Exchange Commission (SEC) to investigate whether Yahoo and its executives fulfilled its obligations to go public about the hack in 2014 that affected 500 million user accounts.
In a letter to SEC chairwoman Mary Jo White, Warner said that public companies such as Yahoo are required to disclose material events that the public and shareholders should know about, and that "disclosure is the foundation of federal securities law".
Warner also asked the SEC to look into whether Yahoo made accurate representations concerning the security of its IT systems.
Yahoo has faced scrutiny regarding exactly when it knew about the breach since it was announced last week. The news came at a bad time for the company, in the face of its impending takeover by Verizon, which could be affected by the announcement.
Yahoo believes the cyber attack was state-sponsored, and said in its announcement last week that compromised information may have included names, email addresses, phone numbers, dates of birth, hashed passwords, and in some cases encrypted or unencrypted security questions and answers.
"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information," the company added.
"Payment card data and bank account information are not stored in the system that the investigation has found to be affected."
It also said it has found no evidence that a state-sponsored hacker is currently in its network, and advised users to update their security details.
The stolen data is said to go back at least as far as 2012.