So the breach was in 2014, they didn't update their SHA keys for two years, they still don't know exactly how it got leaked and they're only now communicating this?

It's almost like it's a bunch of amateurs on a money-losing proposition or something.