Comment by parable

I'm glad they've seemingly made some sort of public statement on X and to media outlets, though they haven't emailed affected users yet.

They have yet to acknowledge the recovery method disclosure vulnerability which was exploited on a massive scale in February. The last time I checked, email addresses and phone numbers were PII. I don't live in the EU, but someone who does should complain to the relevant authorities about that.