Any negative news that can influence the share price is material information. A hack, involving payment means, of 500M users is definitely material information.
Also. As the excellent Matt Levine never ceases to repeat : everything is securities fraud.
If you didn't state in your regular filings "our security is poor, we may get hacked", then you lied by omission.
The SEC’s job is the integrity of the securities market. The user would be the concern of a consumer rights authority (the FTC) or a privacy protection one (I don’t think the US has one of those on the federal level?). That the SEC is the way we learn about these things is nothing more than a relatively recent hack, and how widespread the damage from that hackery is going to be is not yet clear.
(E.g. “money laundering” seemed like a reasonable hack for the first couple of decades, but these days banks have turned into an surveillance and enforcement apparatus with a presumption of guilt and no right of appeal.)
I don't make the rules, and it is unfortunate there is still a wide gap between current state and desired end state wrt citizen harm; to understand the rules is to leverage them to arrive at a desired outcome. Code for some hackers, legal and regulatory frameworks for others. Simply different syntax, runtimes, and exception handling.
The reason the investors care is presumably because of the fear that there will be significant, material financial consequences for the business arising from harms that affect the users.
If the expectation was that users were screwed and would not be entitled to any compensation, then the news of this breach would be no more material to the company’s investors than learning the at the air conditioning was set to the wrong temperature in one of the company’s offices for a few hours.
Also. As the excellent Matt Levine never ceases to repeat : everything is securities fraud.
If you didn't state in your regular filings "our security is poor, we may get hacked", then you lied by omission.