[massaman_yams]

Bulk emailing notifications to all affected addresses would be a deliverability nightmare, and would require manual intervention at most ISPs to prevent these messages from being blocked, which said ISPs may or may not be willing to do.

Just think of the number of clueless users who would mark such a notification as spam, and the number of old, dead addresses, some of which are now spamtraps.

edit: clarify bulk vs. individual notifications

[dmix]

That's a service Have I Been Pwned has been offering for years...?

[massaman_yams]

For single addresses that specifically request it, which is both fine and hugely different from bulk notifications to any/all addresses observed in a breach, which is what I was referring to.

But I realize the wording in the original post is a little ambiguous; I had read "provide ... directly" as implying "push", but that may not be the case, and if so my comment above is not relevant.