Of course, but incident response is a tricky beast. It's overwhelming at best. Even the most prepared teams have to prioritize and end up making decisions that don't necessarily look great in hindsight.
There's always a human element, and as someone who's had experience being paged at 4 AM while on vacation because some random person decided that would be a great time launch an attack, I certainly empathize with what they're going through right now. Again, that's not to say I condone the silence or their security practices, but it's a tough situation to be in.
Keep in mind the actual attack in the spotlight here wasn't a DDoS attack, and it's important not to conflate the two. Denial of Service is just that: users have trouble accessing a service. It doesn't mean data has been leaked. That's not what appears to have happened here.
When enough real people visit a website, it has the same effect as a DDoS attack. If a lot of people are trying to log in right now, it will be indiscernible from the users' perspective: the site will slow down and fail to function properly. That's not an attack; that's just a side effect of everyone panicking.