The breach affected less than 0.2 percent or roughly 400,000 of Avast's 200 million users, said Steckler, noting the reason for its limited scope was that it only affected users of its community-support forum, which is run on an "isolated third-party system". Accordingly, the most important customer data it holds, including payment, licence, and financial data, was not impacted.
"We realise that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you," Steckler said.
While the passwords were stored as hashed values, Steckler advised that it was still possible for a sophisticated attacker to derive the plain text passwords, which could pose a risk to affected users that re-used the password from that forum on other sites.
"If you use the same password and user names to log into any other sites, please change those passwords immediately," he warned.
so how many months later and why didn't they tell before
changing your passwords now has as much sense as changing your door after it has been broken down and you have been burgled of everything you have