This topic contains all cases which describe the effort of the service to protect your account from unauthorized access.
Could there be a case where the service may/isn't required to notify users if their data has been exposed from a breach?
@Peepo, that's a good idea
https://edit.tosdr.org/points/10558