Simple Machines Forums (SMF) has accused Avast of lying about the circumstances of their data breach earlier this week, which the security company pinned on the SMF software they were using to run their community.
Citing a site image taken just before the attack, SMF say that the copyright of their software dated back to 2012, indicating Avast may have been running software several version out-of-date. The open-source firm added that they knew Avast had made modifications to their installation.
SMF said: "While we understand that Avast is looking to preserve its standing in the web world and looking to lay the blame at any one else's doorstep, aside from their own, we are concerned and upset over the unfounded accusations they have levelled."
The forum developers added that claims of a vulnerability discovered by a black hat hacking group, an outfit operating for personal gain, were unfounded, and "yet another attempt to pass the blame with no actual evidence or support".
It also denied that their latest update, 2.0.7, was a silent security patch that needed to be supplied so that users could remain safe, a possibility an Avast spokesman had raised after the attack.
Less than 0.2% of Avast's 200 million customers were affected by the attack, which compromised usernames, hashed passwords and email addresses, but left financial information stored on an isolated system secure, according to the company.
SMF said that it have tried to contact Avast, but the company has largely ignored them, and been unhelpful when it has responded.
Vince Steckler, chief executive of Avast, said that Avast's forum will be moved to a new software platform intended to be faster and more secure, and advised users to change passwords if they had reused them on other websites.
Peter Martini, chief operations officer at iboss Network Security, said: "It is not uncommon for companies to rely on third-party ERP [enterprise resource planning] systems to manage inventory, assets and customer orders.
"However, even if the company has strong internal security practices in place, if the third party software has a security flaw in it, it makes the company susceptible to a breach."
Concern over the use of open-source software has been heightened since the Heartbleed OpenSSL bug in April left the likes of Facebook, Yahoo and Google vulnerable to hackers, in what Hugh Thompson of security firm Blue Coat termed a "call to action for open-source committees".
"Ultimately, this should serve as a reminder for all companies to continually run security stress test against all systems including third-party software integrated into the organisation," Martini said.