Are there any estimations for how many users were critically vulnerable to this potential attack, i.e. had unencrypted seeds in their wallet files? I've tried to do some research, but failed to determine if Electrum was always asking for password during new wallet creation process, or this feature was added with some version? Also, is password optional during creation?
Some users and media have misunderstood this vulnerability and started claiming that "Electrum is completely broken and anyone can steal your coins when you run it", which is simply not true, so it's better to clear this misunderstanding.
The password feature has always been there, but it has always been optional, because some systems require automated payments. We are closely monitoring how fast users are updating their wallet software. Media reports were useful in spreading awareness, but it is true that they also created misunderstanding.
At this point, there is no evidence that bitcoins have been stolen because of this vulnerability. Two users have reported bitcoin theft and attributed it to the vulnerability, but these cases are more likely to have been caused by malware downloaded from fake electrum websites, or by keyloggers, because these wallets were protected with strong passwords.
We received one suspicious report by a user who sent bitcoins from an exchange to a wrong address. This user was trying fund his Electrum wallet, and he used an address that was in the "send" tab of his wallet, instead of the "receive" tab. This user did not answer our questions regarding whether the presence of an address in the "send" tab was resulting from his own actions, or could have been put there by a malicious website.