Heartbleed, a serious vulnerability in a piece of Internet backend software called OpenSSL, is the security story of the week. Vulnerable OpenSSL versions allow an attacker to see parts of a web session they aren’t supposed to see, including passwords in transit.
Timing is critical. If a site upgrades to a new version after you change your password, you have to change your password again. That’s why some experts are saying to wait, and others are saying change right now.
Here’s a list of sites that are affected or potentially affected. My recommendation: Change any passwords for any sites on this list listed as affected. Hint: Yahoo, Google, and Facebook are on the list. If at any point in the near future you get e-mail from them saying you need to change your password, change it again.
To clarify: Changing your password right now won’t hurt, but it might not be enough either. To be safe, you may end up changing some passwords twice, so be ready for it.
Another clarification: If you’re using 2-factor authentication, don’t bother changing the password. An attacker has to catch the password after it’s been sent, but if you’re using 2-factor, you’re not sending the password (you’re sending other stuff–and that stuff changes to prevent replay attacks), so you’re good.