In an older post, I stressed that Blizzard was not required by any law to notify users of internal data breaches. Many misinformed players, Blizzard employees and fans used this false information as the logical reasoning and proof as to why Blizzard's internal databases "have never been broken into" or account information stolen.
To be clear: Blizzard (nor any other gaming company) is not required by law to notify anyone of anything.
Here's a little excerpt I wrote at the time:
Now, if something very bad were to happen, then yes - a large announcement would be made.Well, it just happened with Runes of Magic. =]
Here's a link to the news article.
Basically, a hacker obtained login/personal data from their account database and is now holding the information "hostage" until Frogster/RoM Team changes the "forum communication practices and technical aspects of Runes of Magic operation".
The only reason that the company is releasing this information NOW is because it's been made public and they're being "held hostage." The data breach actually occurred back in 2007 by the way. They sat on this data breach information for 4 years before telling anyone and probably would have continued to do so until the hostage situation was made public.
Still think this hasn't happened anywhere else? It's actually more common then you think, and I'm not just talking video games.