Yahoo CEO Marissa Mayer will lose her bonus and equity grants this year because of her handling of a 2014 hacking incident that may have compromised 500 million user accounts. Mayer wrote in a Tumblr post on Wednesday that she would give up the compensation because the security breach occurred on her watch. “[S]ince this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016,” Mayer wrote. The bonus alone could have been worth $2 million, double her annual base pay, according to Business Insider, which reported Mayer’s 2012 contract entitles her to an annual performance-based equity award of no less than $12 million. The huge hack is separate from a 2013 incident that affected 1 billion Yahoo accounts. A committee formed by Yahoo’s board concluded that a company legal team investigating the hack in 2014 should have done more, the company said in its annual report filed with the Securities and Exchange Commission on Wednesday. Yahoo said general counsel Ronald Bell will resign and won’t be paid severance. The committee found that company investigators “had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it,” Yahoo said. “As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks.” Verizon is buying portions of Yahoo’s core business. The sale price was lowered by $350 million to $4.48 billion because of the hacks. The deal is expected to close by the end of June. Verizon also owns AOL, which includes The Huffington Post. Verizon and Yahoo agreed to evenly split the ”cash liabilities related to certain data security incidents and other data breaches,” Yahoo’s SEC filing said. Mayer said she learned of the 2014 hack in September. She described it as a “state-sponsored attack” that initially targeted 26 users. Since learning of the attack’s far-reaching scope, Mayer said she’s worked with other executives to inform “users, regulators and government agencies” about the extent of the invasion.