Yeah; the timing is generally not great, either. People got hit by a plethora of GDPR-driven privacy policy updates, website changes, and site closures; the GSK and Parabon situations with GEDmatch have caused people to hide or remove kits, and the media to weigh-in on privacy and security concerns about DNA testing in general; and now this, just scant days later. Not like MyHeritgae could pick and choose the timing. To their credit, it seems they released the statement as soon as they had verification of the incident. Now it's on multiple news websites.
Just an aside, email addresses are always more vulnerable than passwords. That's why I use a different email address on (almost) every website I register. Sounds more daunting than it is. There are a number of services to help with this; the one I use is 33mail.com. To reap the full benefit, there's a small annual fee, but then I can generate email addresses on-the-fly (meaning I don't have to create them; I just use one to register somewhere and the address is created automatically) and any mail sent to that new, unique address forwards back to my regular email address. No muss, no fuss. And if something like this breach happens, I just change the email address on file at MyHeritage, then go to the email service provider and block the compromised address. Once an email address gets out in the wild, it stays there.