First, thank you very much for your comment, secondly, the anonymous person has forgotten to specifically highlight a certain detail
- The entity affected by this vulnerability is NOT a trustworthy company, it is not even a registered company. The service is or was operated by individuals and not under its own registered business entity.
They obviously do not wish to describe this service any further, but they want to assure you that no sane person would ever subscribe to it, yet there are thousands of paying active users.
These statements stand unchanged. The usage of "pretty extreme" could be regarding the "quality" of data, not quantity. Compared to the usual data leaks on HIBP it seems like an occurrence that happens frequently and the affected user count is abysmally low. Some anonymous person might fire off an email to Troy Hunt regardless.
While the anonymous person understands some of the responses, and will make super sure to do absolutely nil until they have spoken to an attorney (and obviously not access anything on purpose now), they too are a little bit surprised to see some users worried they might get kidnapped and similar.
It is like they have never seen any other regular person with money before.
I will tell an anonymous person to do this, but I’m not sure if Troy Hunt cares about a random one-of-thousands service and a few thousand affected users.
They have been considering this too, but realistically this is a little known service, there are thousands of it like it, and the affected user count is only in the thousands. I don’t know if any of these people would care in the first place. I will tell an anonymous person to try regardless.