[huhtenberg]

> Am I at risk?

Instead of "Blah-blah, less than a day, go check yourself", they could grep the logs for IPs (and session cookies if they log that) of lucky winners and explicitly inform them, when they hit any page on their site. Then show generic version to everyone else. This takes all but 5 minutes to set up.

[jmiserez]

Nice idea with a major problem: If they did this, the absence of such a message could suggest that you were not affected, when in fact you could be (changed IP, cleared browser, etc).

False negatives are pretty bad in this case, better for users to check themselves.

[huhtenberg]

No, you are missing the point.

It will all remain exactly as it is now, except for the case when they recognize a visitor that is likely to have downloaded the malware. In this case they should throw an extra warning.

[jmiserez]

You would be right if nobody besides the affected people would ever know that they are doing this.

But as soon as other people know or hear of it, they will go check the website to "see if they are affected". Even if the website has a huge disclaimer telling people that they could still be affected, the absence of the warning would still suggest that they are not affected, even when they could be.

[wepple]

plus everyone behind a single NAT IP will get the message and freak out.

[rem1313]

This is not a bad idea, maybe write to them and suggest that?