That's a moot point, surely? Everyone who used the app should receive an email from the people behind it very, very quickly - they've all been compromised.
The concern isn't just that RKearney has the keys - it is that anyone could have the keys for anyone on the site. Sending an email to the people whose keys he snagged would help them - but the people whose keys he didn't are still vulnerable too.
I imagine you were a little unsure of the timeline of things when you commented. Please keep in mind that I wrote this comment before the "never give your info" story and before the website developer commented here on HN. With that in mind I am not sure what point is a moot point?
Do I think the developer should email all of the users? Yes, which is why in my response to the developer's comment about destroying the IAM keys I said "You should think about sending an email to all of your users..."
Do I think that the right thing for rkearney to do is send emails to the people whose information he has? Yes. Is it the best possible scenario? No, but it is better than no notification at all, which at the time was a possibility.
The concern isn't just that RKearney has the keys - it is that anyone could have the keys for anyone on the site. Sending an email to the people whose keys he snagged would help them - but the people whose keys he didn't are still vulnerable too.