There never is a break-in where they get 1/3 or 1/2 of the accounts. It has to be nearly all or some much smaller faction. (my own presumption based on the idea nothing large does mere 2 to 3 way replication or partition)
It depends. It's possible a company could catch a breach while the data is being dumped to s3/russia/wherever and cut it off before everything is extracted.
Another possibility is that only one particular system is breached, which wouldn't actually affect all users of a given company. If Facebook were hacked, it's possible that only the ad-buy system is compromised and not their entire user store, for example, thus exposing only people who have purchased ads and not all users.
If you store EU user data in the EU and other user data somewhere with less restrictive privacy laws, an attacker could get hold of one or the other reasonably.
On the other hand, yeah, it's much more likely the entire account database was dumped.
> It depends. It's possible a company could catch a breach while the data is being dumped to s3/russia/wherever and cut it off before everything is extracted.
At that point honest behavior would still assume all accounts were transferred. You don't know that data was not transferred earlier or it's also hard to estimate what part of data was sent successfully.
If data could be accessed it should be treated as compromised.
