Yahoo's top lawyer Ronald Bell has resigned, and its chief executive Marissa Mayer lost her 2016 bonus, after a board investigation of the theft of information on more than 500 million user accounts in 2014.

Senior executives, company lawyers and information security staff were aware of the hack in 2014 and also knew about subsequent attempts to break into the affected accounts in 2015 and 2016, but failed to "properly comprehend or investigate" the situation, the company's board of directors said in a securities filing.

The board "did not conclude that there was an intentional suppression of relevant information".

The hackers, who Yahoo believes were connected to a foreign government, used the stolen information to forge a type of software called a cookie that could be used to access 32 million Yahoo accounts, the company said.

Mayer, who will also give up her 2017 equity compensation in connection with the incident, said in a statement that she did not learn of the breach until September 2016, when Yahoo first disclosed the hack to the public.

"However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year," she wrote.

Under Mayer's employment agreement, her annual target bonus is $US2 million ($2.6 million) a year and her annual stock award is supposed to be no less than $US12 million a year. Her base salary is $US1 million a year.

The company's filing, which it said concluded its investigation, avoided naming any individuals responsible for Yahoo's security woes, and it left many important questions unanswered.

The board offered no new information about the company's apparent failure to notice a separate theft in 2013 of the account information of 1 billion users.

That theft - which was discovered last year by an outside security expert who noticed the information for sale on the black market - was so serious that Yahoo forced all affected users to reset their passwords.

"We have not been able to identify the intrusion associated with this theft," the board said.

Yahoo is eager to put the incidents behind it and move forward with the sale of its internet operations to US telco Verizon.

Last week, the companies announced that they had renegotiated the deal because of the breaches, shaving $US350 million from the price, and they hope to close the transaction by the end of June.

Bell, a longtime lawyer at Yahoo, appears to be taking the blame for the company's security failures. Yahoo said he resigned on Wednesday and would receive no payments in connection with his departure.

The company's chief information security officer at the time of the 2014 breach, Alex Stamos, left for Facebook in 2015 after repeated battles with Mayer over security priorities.

Yahoo said that 43 consumer class-action lawsuits related to the breaches had been filed against the company in federal, state and foreign courts. It also faces a stockholder class-action suit.

The company said that it was also co-operating with federal, state and foreign government officials and agencies seeking information about the incidents, including the Securities and Exchange Commission, the Federal Trade Commission, the US Attorney's office for the Southern District of New York and two state attorneys general.

Yahoo said it had revised its procedures for responding to cybersecurity incidents, including the reporting of such incidents to senior executives and the board.

The company has incurred $US16 million in direct costs so far related to the breaches.

New York Times