If random security researcher does this kind of disclosure, fine.

But if serious company that seems to offer services to seemingly plenty of serious customers acts this way, I'd not want to be their customer, if they seem to have such a cavalier attitude, disclosing stuff without even a sniff of "we notified the company about the breach".

It was fixed. Disclosing it after it's fixed is responsible.

Uh, I don't know, but cannot DeepSeek do that, for starters? Being located in a different country than the service you are attacking doesn't really make you immune to being sued.