It provides an SaaS solution, and it had a security breach. If we compare their solution to Salesforce, is it Salesforce's (legal) responsibility to keep all of your customers' data encrypted and inaccessible to anyone except your company? Only if they provide an SLA saying that, or otherwise advertise that feature. Blue Toad never advertised that feature, and it wants to be invisible to its end users.

Legal responsibility? Probably not. Ethical responsibility? I think so. Think about if, say, Conde Nast got hacked and login information was leaked from all of their servers. What would I expect from Ars Technica, Wired, Reddit, etc? A link to a Conde Nast page with one unified statement, closing with something like "We at Ars and Conde Nast apologize...", "We at Wired and Conde Nast..." etc.

Even if Blue Toad wants to be invisible to end users, it's gone a little beyond that. Legally they only have to follow the fairly open-ended PII laws that are in place (I believe California is the only state to require they notify users of a breech), but ethically I believe their responsibility falls a little beyond that line.

What if AWS security was breached. Do you think they should email all Dropbox customers to inform them of the breach or leave that responsibility to Dropbox? (Dropbox is hosted on AWS) I think that analogy is more accurate because Conde Nast actually own the web properties you mentioned whereas BlueToad is an independent service provider.

The Conde Nast analogy breaks down since Conde Nast owns all those publishing properties while BlueToad is just a service provider to multiple, separately owned publishers. I think it's fairly reasonable to let the B2C entity be responsible for contacting the consumers.