It could be that they are restricted from providing more details due to the nature of the issue? It sounds like a cop-out and is, but if for instance it was under active investigation, and it was something big, they might be able to reset customer passwords while not identifying information to the attacker.

On the other hand, this type of action would give it away either way, so maybe even that excuse doesnt smell right.