[ZoFreX]

Write a blog post explaining exactly what is wrong and why it is a problem, then tweet it to them and post it to their Facebook wall. If they won't fix the security issues, then maybe you can save a fraction of their users by convincing them to go elsewhere. (And by making noise publicly they are probably more likely to actually do something about it)

[dhimes]

When you do this, at least at first, don't name the site. In your email to the site you can tell them the blog is about them.

If you do feel the need to spill who is at fault, you can do it in the comments or in a follow-up post at a later date.

[alttab]

Yeah its almost your civic duty to warn potential customers. But you have to be careful at the same time not to attract more attention to it than necessary.

[ZoFreX]

I'm not 100% on the rules of responsible disclosure, but isn't giving a company more than a year to fix an incredibly basic error more than enough time? The longer you wait the higher the chances a black hat will come along, why should their customers burn due to the company's apathy?

[alttab]

Agreed. At that point I'd post it on an anonymous blog through a proxy just to protect yourself in the case they want to be assholes.