Startled, X fed the online form the utility account number and the last four phone number digits it was asking for.
EFF Senior Information Security Counsel Nate Cardozo (who will famously be leaving to help WhatsApp clean up its privacy issues) and EFF attorney Jamie Williams have been advising X concerning legal and ethical disclosure responsibilities during the entire process—because even today, the threat of legal action may come before a potentially flawed company offers anything resembling thanks or takes the necessary steps towards better security hygiene.
That said, website compromises are much like entropy: they trend toward the maximum.
Once a website is breached, the first thing attackers do is to dump the password database.
This isn't generally necessary to access accounts on the compromised site itself; once you've got root in the infrastructure, odds are pretty good you can already do whatever you'd like in that site.
As SEDC general counsel Mark Cole put in in an email: