Regarding user names, they are optional and meant to be public.
I think the biggest problem here has been that Coinbase hasn't been responsive to messages sent to their whitehat@ address. That and the fact that users are being spammed by "researchers," which is a problem that falls back on them to mitigate.
They haven't been "hacked" though, and the only thing that has been "leaked" is public account names and account existence. The latter is almost impossible to avoid if you require unique emails for accounts (if I'm wrong about that please correct me).
That's just my naive two cents, so let me know where I'm missing the picture if that's the case! :)
Their official response confirms this: http://blog.coinbase.com/post/81407694500/update-on-coinbase...