Re: How about fining BT for also failing to disclose the breach.
they did it as they was aware of the no password login issue that yahoo had on there service as to why they moving away from yahoo (some BT mail accounts seem to be still on a yahoo service)
at least BT had a feature that automatically locked the account out when it detected a compromised account that is sending mass spam out, but as the hack did not need to know the password to log into the account it was causing lots of support issues as accounts was been randomly locked out because it was thinking the password was compromised
a bunch of people i support had there accounts accessed to be send spam out , what it would do for what it seems is gain access via the yahoo mail App API then once it got the logged token it then went onto the full site and scanned all contacts and emails and mail bombed all of them, if you ever got them random Messes undeliverable in your inbox your account was accessed for spam sending
note your password was actually never compromised as they was bypassing the login process, i had one person account over 4 times every time a different password, there was a password database leak at time point but it was Unrelated to this getting into yahoo accounts without passwords (some sort of XSS exploit/vulnerability to steal login but this one required zero action on the user part i had very old yahoo accounts emailing me that had not been used for long time) this was around 2013 when this happened it has been fixed and i like the single user login that yahoo and MS use now not used the password for years now (wish google would do it as they support Yes/no login on all android devices or IOS with google search installed)