2. The error is presented like casual news. Sort of downplaying the incident and not acknowledging that they screwed up. If the accounts were freely accessible for 4 odd hours, it is pretty serious.
3. No actual details of bug introduced were provided.
4. The communication was done on blog, and emails were not send. Again, it is an attempt to downplay the incident.
So, to take it to one extreme, you think that if zero accounts were accessed, then it would be reasonable for zero users to be directly notified about this?
Some people might also be concerned that the note about sending emails wasn't added to the post until after there was mass outrage at the lack of notification. Makes it feel very inauthentic, as though they were really hoping they'd be able to sweep it under the rug.
2. The error is presented like casual news. Sort of downplaying the incident and not acknowledging that they screwed up. If the accounts were freely accessible for 4 odd hours, it is pretty serious.
3. No actual details of bug introduced were provided.
4. The communication was done on blog, and emails were not send. Again, it is an attempt to downplay the incident.