Pre-context: Twitter admitted they had found a bug that showed all passwords in plain text rather than masked and encrypted. Their CTO Parag Agrawal commented:
We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.Parag Agrawal
Just the mention of "didn't have to" makes you question their views on integrity and privacy. I'm interested in how the GDPR would view this scenario as there technically isn't a breach (under the GDPR, the company is legally obliged to notify users within 72 hours), it's a breach waiting to happen. It's like the bank left all of their customers money in the lobby.