pull down to refresh

100%. If it was truly small in number they would just email the handful of people affected, not compromise their brand by sharing this with the public.
reply
To counter that last point you made, imagine the fall out of someone posted that email they received and then all the questions, concern, and outrage the company would get if they didn't publicly disclose. It's a damned if you do damned if you don't situation. They probably should have stated the number of impacted users instead of a vague "small" amount when the attacker had access for over 6 months.
reply