That could be irresponsible as a company which uses MongoDB for non-sensitive data (say data in publicly available pages) would be shamed when they didn't have a data breach of sensitive data. Or worse, a company that has signed-up but only played around with MongoHQ without using it in production. Each company should announce its own breach (and the scope of the data exploited) to its customers.
I understand all the implications you mention, and that's why I phrased it the way I did.
Though, the assumption I'm making right now is that the hackers know exactly what sites they've compromised. The longer they have this information in advance of MongoHQ's customers' customers, they more damage they can do. That sucks terribly for those people (potentially)
All this said, a serious lesson about PaaS/SaaS/DBaaS--whatever you want to call it--has been learned today.
[edit] - I'm reminded here of the Epsilon breach. Epsilon is magnitudes larger than MongoHQ and they apparently did decide to announce the names of affected companies. I am not sure how they handled that internally. [1]
In Epsilon's case those end users had direct consequences - their names and emails were compromised.
The end users of sites/apps/services using MongoHQ are probably unaffected in many cases since "a database" doesn't imply credit cards or even credentials or emails. The average database is probably just holding content for a site or app.
In probably close to all cases the end users would have no clue how they may be affected since they won't know what's in the databases, or what a database is.
I know that's not exactly proper but... at this point, the hackers are way ahead of the users of sites that happen to depend on MongoHQ.