Reported this to AG publically on one of their forums they run with UK coverage yesterday and their whole attitude seems completely meh and are blaming it on a 3rd party plugin. I'm not that bothered I'm in the dump because I don't reuse passwords so meh myself.
They've half heartedly started to run through a password reset proceedure today and they've managed to reset mine and not tell me the new credentials. That's one way to shut up exposure!
What gets me the most is this breach happened in feb 2016, and yet now only after public prompting are they even telling people to reset their passwords. And they are not even advising people to reset them elsewhere. Lackluster response so far...