Furthermore, Yahoo can not unilaterally choose to define what is "sensitive". In the EU, many countries implementation of the Data Protection Directive considers e-mail addresses personally identifiable information, which makes it subject to the relevant laws.

Given that Yahoo operates in a number of European countries, and have offices and legal entities in many of them, this potentially means they are legally liable for data protection breaches if they don't plug this hole.

Indeed. In Spain, the LOPD (Data Protection Law) states that the email is personal information. Many companies have been fined for leaking emails, specially when sending mass emails with all the addresses in the "To:" field instead of BCC.

Are First/Last names personal information in Spain too? So a customer list would also have the same protections?

I don't think schofield's response was great, but he certainly didn't pretend the submitter was making something up, he just didn't think the information exposed is sensitive. Realistically this isn't a bug in the software, it's an issue with the design of the invitation feature from a legal/UX standpoint. Either the user sending the information should be aware the information is not private and/or the invitations should expire at some point.

Expiration helps very little if the valid IDs are still easily enumerable. Access control, not expiration, is what is called for here.

Edit: expiration would limit the scope of data leakage, and should also be looked into, but expiration without access controls still allows patient attackers to collect all of the data being generated and store it for future use.

Why do you think schofield is a developer? I didn't see any indication in this conversation.

Every company I have worked for has a support organization that deals with customer tickets like this. They might escalate the issue to development, or they might not. But either way they're the ones involved in the conversation.