I respectfully disagree. By changing your password, you can either evict an attacker who has already logged in and is watching your account, or one who plans to in the future with your exposed credentials. This is important for an email account, especially if it is used as a recovery email for other accounts (like banking, etc.).
Changing your password should be the first thing you do when notified of a potential breach.
When a system is compromised, it will contain so many backdoors and hacked software libraries. So to change your password will just tell the attacker how to complete your personal password portfolio: people is mostly using the same passwords on many sites, so they collect passwords and try them on other websites.
When a system is compromised, the only way to fix it is to build another from scratch: there are too many malicious routines which can be everywhere, starting from libraries, operating system, even firmware - which is very close to hardware - can be compromised.
Until Y! don't literally wipe it out and create a new system from scratch, a compromised system is the last system you should give your new credentials to. Since they don't even have money for their business as usual, it is very unlikely they will create a new system from scratch.
I'm sorry, to give Y! new credentials is the best way to get them stolen again.
But the customers don't own the system. The exposed password, if not changed, can be sold to many others which increases the chances of misuse. Changing it reduces the risk (which is all we do in security anyways) of loss over time.
Only if you put a "one-time" password and then delete your account. A compromised system, today, is compromised FOREVER. You can only abandon it, unless the owner decides to rebuild from scratch.
The customers can own the system: just self-host. Today is not that hard. I am doing at home.