It sounds like they just report the number they are sure of at the time and update the filing later. Very high chance the number of affected is much more then 1.3M - the number of unique email addresses alone makes it pretty clear its more.
The situation doesn’t come without precedent either. It’s not uncommon for organizations disclosing data breaches with US state officials to update those filings down the line as investigations into potentially compromised data continue.