It seems a bit irresponsible they say there were no E-Mail breach when the phishing E-Mails can easily get the E-Mail addresses just by clever manipulation tactics. For example, the attacker can embed tracking pixels or unique links, or the email might contain a link that redirects to a phishing page where you have to enter details or they can even exploit browser plugins to get personal info, like E-Mail addresses.

Their second tweet is just them trying to push off responsibility.