[jjarmoc]

I would also appreciate more detail, but that shouldn't be their first priority.

They note that they discovered the breach on 'Friday' so I imagine they have an ongoing Incident Response right now. They may not have or be ready to share this information at this time, and that's fine. They might be working with law enforcement, further hardening systems, and continuing to confirm their findings to date to ensure they've mitigated the full impacts.

What's important now is conveying how users are impacted and what steps they should take to protect themselves; hopefully the rest comes in time.

[developer1]

Another pain point is the delay from Friday's discovery to Monday's disclosure. While it's better than the sometimes weeks other companies have taken, it screams of the discovery happening at 4pm on a Friday, and everybody then saying "bah fuck it, go home for the weekend, we'll work on it Monday". A security compromise like this should have been made known by Saturday at the latest, and worked on over the weekend. 3 days is a long time for leaked passwords to go unnoticed to users, regardless of the encryption scheme being used.

[jjarmoc]

I feel like that's a reasonable timeframe from 'hmm, something is odd' to 'we're pretty sure we fully understand the impact, time to notify users.'

There's a balance between early notification and misstating the impact.