http://money.cnn.com/2014/04/10/technology/security/heartbleed-passwords/index.html
Websites are racing to patch the Heartbleed bug, the worst security hole the Internet has ever seen.
As sites fix the bug on their end, it's time for you to change your passwords. The Heartbleed bug allowed information leaks from a key safety feature that is supposed to keep your online communication private -- email, banking, shopping, and passwords.
Don't change all your passwords yet, though. If a company hasn't yet updated its site, you still can't connect safely. A new password would be compromised too.
Many companies are not informing their customers of the danger -- or asking them to update their log-in credentials. So, here's a handy password list. It'll be updated as companies respond to CNN's questions.
Change these passwords now (they were patched)
•Google, YouTube and Gmail
•Yahoo, Yahoo Mail, Tumblr, Flickr
•OKCupid
•Wikipedia
Don't worry about these (they don't use the affected software, or ran a different version) [I think I will still worry anyway]
•Amazon
•AOL and MapQuest
•Bank of America
•Capital One bank
•Charles Schwab
•Chase bank
•Citibank
•E*Trade
•Fidelity
•HSBC bank
•Microsoft, Hotmail and Outlook
•PayPal
•PNC bank
•Scottrade
•TD Ameritrade
•U.S. Bank
•Vanguard
•Wells Fargo
Don't change these passwords yet (still unclear, no response)
•American Express
•Apple, iCloud and iTunes
Just FYI, OpenSSL is NOT the only player on the market for encryption. Microsoft has its own certificate services. The major public key infrastructure (PKI) players such as VeriSign and Thawte are unaffected, as they have proprietary encryption signing software.
If sites like Amazon, AOL, Fidelity, LinkedIn, etc. show they’re not affected, they’re not affected. They don’t use OpenSSL for encryption.
This is one of those things where you really do get what you paid for.