Any company with even a small amount of success will be sued for any public mistake, whether it violates the law or not - especially if you're open and transparent about what happened and why.
Class-action trolls, like patent trolls, are just another business risk.
Sure they were transparent? They didn't say what the bug was, how it was introduced, what they are doing to stop it happening again. They didn't email all their customers immediately.
I'm sure that in this situation and legal climate, the only way they could've potentially avoided a lawsuit was to try and keep it quiet (to the detriment of their user base.)
Sadly, doing the right thing just makes you a target.
Potentially. But see how Lastpass dealt with a potential breach [1]. Have not heard of them being sued. I don't think "cover it up to avoid getting sued" is the right message.
I think it is unfair for them to be required to email their entire userbase when maybe 0.1% were POSSIBLY affected.
They emailed the people that logged in during that time and anyone that had a shared folder with anyone that logged in during that time. That seems pretty fair to me.
Class-action trolls, like patent trolls, are just another business risk.