How come you didn't bother to check the list for dupes? You'd have found out that it only contains 755k unique entries, out of which only around 450k are unique users.

>Under GDPR, the fine would have been $420M

That's not how the GDPR works.