To counter that last point you made, imagine the fall out of someone posted that email they received and then all the questions, concern, and outrage the company would get if they didn't publicly disclose. It's a damned if you do damned if you don't situation. They probably should have stated the number of impacted users instead of a vague "small" amount when the attacker had access for over 6 months.