There’s an official response:
In December 2022, Nothing discovered a vulnerability, which impacted email addresses belonging to community members at the time. No names, personal addresses, passwords, or payment information were compromised. Upon this discovery nearly a year and half ago, Nothing took immediate action to remedy the situation and bolster its security features.
Basically this happened in 2022 and since then the necessary measures had already been taken. Also, as the source indicates, “No passwords or other sensitive info has been spotted in the file.” They were just email addresses.
Source