...Its the distinct lack of response by the AVAST webmaster that concerns me...
One thing I do like to see is an indication that the first hurdle ("there is no good reason to believe this could be due to an issue on our end") has been cleared. The larger and/or less technical the company, the more likely it is that the recipient unique email address aspect will be overlooked. My feeling is that hurdle is past us, but I can't point to anything which proves it.
Given avast's industry and the massive amounts of sensitive information they receive, I would expect them to seed ALL of their databases with non-obvious account information so that they themselves can monitor for leaks. That's on top of continuously inspecting their systems for exploit weaknesses, malicious code, signs of intrusion, etc. Of course, very many companies you would expect to be using absolute top notch approaches have been found to have vulnerabilities and often even totally inexcusable ones.
In a way, even something like this IS a HUGE deal when you can't bound it. Spam to a recipient unique email address is usually the first sign that someone has acquired information that they shouldn't have. The important question is: what ELSE was acquired? You don't know though... and you may never fully know. Obviously, one possibility which is strong in some cases is that a recipient company database was compromised. For all you know, that database *and other databases* were compromised. Every bit of information you have ever given the company or it has collected somehow about you may be compromised. Even if other databases weren't directly compromised, they could be indirectly so. For example, where a forum exploit somehow acquired user/pass and the user foolishly used that same user/pass on another type of account with the same company. Technically speaking, you don't even know what to do with regards to changing passwords, etc on accounts because the exploit could still be in place. Such is the cold, hard, factual, reality of the situation. Most would, for whatever reason, think positively and assume least worse case. From a practical point of view that is understandable. From a technical point of view that is absolutely wrong; you SHOULD assume worst case. Those that are security/privacy conscious will naturally want to do the technically best thing but it is a nightmare to do so. We haven't even gotten to other possibilities yet, so the cascade or avalanche of possibilities and what is necessary to very properly respond to them gets even worse.
So I think it is quite good, and in fact probably a sign of proper thinking, when someone gets upset about even something like this. Thing is, you also have to try to remain somewhat patient and give the company time to carefully review everything it SHOULD be carefully reviewing. I don't know when this started, but it sounds to me as though it has only been several days since the first report. Maybe the thing to do is give avast some more time to investigate and respond to customers/users? I don't know what others think reasonable, but my feeling at this point is that if a few weeks go by without a reasonable response from avast, then no matter how you slice/dice it the company just doesn't care about its customers/users. I personally don't expect a company to disclose everything, and I always question whether they are disclosing everything they should be. What is a "reasonable response" is difficult to pin down, but that's a bridge that can be crossed if/when we get to it.
