SO is a good company and this is what good companies do

Would you prefer that they didn't?

I think I would prefer to wait until they have something more specific to disclose. The current update gives me absolutely nothing to go with.

It's as if a prison disclosed that the front gate was left unlocked for several minutes and they're still counting the prisoners. I would much prefer to hear about it after they have learned whether anyone escaped.

Because if they didn't, they'd get criticism about not doing so right away. Also...GDPR?

This is not related to GDPR afaics, but at least in Germany, there is an IT security law that governs how companies must disclose security breaches. (Don't get your hopes up, that law is entirely toothless in practice.)