The blog post explains that, and gives their reasoning:

> Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.

So basically, they decided that because:

1. The data exposed wasn't very sensitive (name, email address, occupation, gender, age, etc) 2. They couldn't identify any specific users whose data was leaked 3. They couldn't find any evidence that the bug was actually exploited 4. There were no actions you could take to remedy the problem (no software to update, no passwords to change, no CC numbers to revoke)

that they weren't going to notify users about the bug.

Still, I would have appreciated at least a blog post or something so if I started suddenly getting more spam emails or something I could at least identify the source.

I'm starting to think "security flaw", "bug", and "data breach" has become a cover for giving data to people you are not supposed to. Facebook had a "data breach" on September 28th that compromised 50 Million people.

Interesting how this is all happening right before midterms. Could these companies be trying to impact the elections and they need plausible deniability? Announcing an exploit seems like an easy way to cover ones ass.