> From an attacker’s perspective, this does not grant access to accounts or sensitive data

I think there might be an effort in the "security" snake oil industry to classify publicly available data as some sort of breach. Probably because for a security company it's a quick win finding such a "breach" you can generate publicity with and/or scare clueless executives into buying your solution/consultancy services. I think there was a similar "breach" at Twitter where it turns out it was all publicly-available data users themselves put on their public profile that was scraped.

I've personally had people argue with me that disclosing whether an account was registered was a major breach and do "something" about it, yet refuse to change the registration form to also not disclose that fact (since otherwise we'd have to move the registration process behind an emailed link and ask the user to wait for the confirmation email to continue, killing conversion rates).

The "something" was done, and of course the bad guys promptly moved onto the signup form. But hey as far as I know, we're now secure™.