> I can't imagine they'd spam every account with an email address

It's not "spam" if it is relevant to me, such as security incident disclosures.

Also, as tiffanyh pointed out, what's wrong with Github blog or is that exclusively for marketing fluff now? That would've been appropriate enough, without having to spend Sendgrid credits.

Mailing every (potentially) affected entity is common and good practice for major incidents.