A Q&A published on Yahoo's website says it believes that a "state-sponsored actor" was behind the theft of information on 500m users of its online services, and provides steps users should take if they are concerned - although it says stolen data did not include bank or payment details.
Yahoo, once the most visited page on the world wide web, agreed in the summer to sell its core business to telco firm Verizon.
Yvonne Eskenzi, the founder of London's Eskenzi PR - which specialises in tech security and organised a week of events around the issue last October not long after a high-profile breach involving UK mobile operator TalkTalk - said Yahoo's decision not to talk about the hack when it happend was "incredibly irresponsible".
"They should have been open and honest at the beginning and constantly updating their customers as and when they had more information on how large the breach was. You can't allow the hacking community to embarrass you into coming clean by selling customers details on the dark web. Yahoo had a duty to their customers first and foremost," she said.
That perspective is mirrored by a cyber security expert talking to the BBC this morning - one of a number of news websites to have given extensive and prominent coverage to the story. "I would have thought most companies had learned by now that early disclosure is better, even if you have to revise and update as you learn more," said a professor at the University of Surrey.
Pete Hendrick, a director at tech PR firm Octopus Group, said the delay "smacks of a decision at the time of the breach to not disclose as the brand has been somewhat struggling in recent years", and speculated that Yahoo must have come out with the news because it "likely got wind of the fact that a third party had discovered the breach".
He went on to say: "I’d advise any other brands in future considering covering up a breach not to. It’s a skeleton you don’t need in your closet."
Max Tatton-Brown, founder of Augur and one of PRWeek UK's 30 Under 30 in 2015, suggested Yahoo deserved some sympathy - but said it was unlikely to be able to win that.
"Yahoo is a victim here as much as its users. There’s only so much any one company or individual can do to try and keep data secure — and ultimately, there’s nothing you can do to stop a persistent, state-sponsored attack. However, that’s difficult to communicate without sounding like you’re passing the buck or undermining users’ confidence in your security forever," he said.
Alistair Turner, CEO of international tech and b2b agency Aspectus, also had sympathy for Yahoo's PR team, saying that the firm's approach to disclosing the attack was "a valiant attempt to control and shape the story", even if it was never actually likely to succeed, given how keen journalists would be on the story.
He also said the story could be very damaging for a brand in decline, commenting: "At its best, communications can re-engage an audience, turn around reputations, reinvigorate brands and restore confidence. Time is also a great healer. But this is the final round. When you are haemorrhaging money and users, time isn’t on your side. Yahoo is on a standing count."
Alex Kent, a consultant at the agency The Honey Partnership, suggested otherwise. "There will clearly be a firestorm in the media and [Yahoo CEO] Mayer might go, but public perception once it's died down is unlikely to change that much, long term."
He agreed, however, that the brand's timing with the announcement was "odd", especially given a lack of explanation for that. "There doesn't seem yet to be a clear logical reason for the decision," he said.
Rebecca Smith also contributed to this report.