In a perfect world companies would recognize and react to security breaches almost as soon as they happen. But if you have ever managed the logging pipeline or incident response practice for a company, you understand that this is deeply unrealistic.

There is virtually no company which discovers that it has been breached within a short period of time - the nature of a security breach is such that it doesn't generally become apparent until some time later. This pattern continually plays itself out with just about every large breach you can think of.

In that respect, considering Weebly actually hashed their passwords with bcrypt and is reacting to the breach in the same year, they're fairly far ahead of the curve on this one.

Discovering a breach is arguably the hardest part.

They did not discover the breach, it was reported to them.

FYI: The median time to discover a breach is "infinite".

6 months is much better than the median :D

You're describing basically every breach ever.

You wish. I'd wager the majority never gets discovered.

Touche.