Comment by parable

As far as I'm concerned, failing to report breaches like this is illegal in some jurisdictions. They already didn't report the other email address disclosure bug that was widely abused, and they likely won't report this either.

At the very least, if they really don't want to make a public statement, they should send out emails to affected users. With all the data they collect, I'm sure it's possible to run a query that selects all users who have been "recovered" by AI support and whose usernames were subsequently changed shortly after to find a victim list of some sort.