There's the shared-private-keys argument, by which they wouldn't actually know how many requests were made. I haven't been followed very closely so I don't know if private keys thing was specifically denied - was it?
As far as I know, they deny any sort of blanket availability of data - so a shared private key would seem to be denied under that guise. I think claiming a number as they have, and a number of affected users, would also be denial of that. Circular logic, but we can't do much better. If they're lying and just made up these numbers, there's nowhere to really go with that.