I think they should notify everyone affected. Provide them with what was leaked, when, how, and how its been patched. And also provide the user the ability to have all the data permanently deleted from their datastore if they desire.