Report it. Move on. The onus isn’t on you to notify users. The onus is on the company itself. If they find evidence supporting data exfiltration they’ll be obligated to inform their users based on whatever privacy laws apply to their industry. If they fail to meet their legal obligations, that’s on them too. Just notify them via certified mail and keep a record.