I have friends who do security at Google, and they explicitly told me "we don't think the company was vulnerable and you don't need to change your GMail password."
Um. Google said: (emphasis mine)
You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.
The fact that patches were needed pretty much says that the services mentioned were vulnerable.
Context: I want to give some insight as to why I (and others) voted for "not changing password, not very worried" and as to why the company is not telling everybody to change password immediately.
I agree that the fact that patches were needed does imply that they were running the bad OpenSSL versions. The company is saying, on the record, that people do not need to change passwords. And this matches what I am hearing informally from friends who work there.
Is it good hygiene to change passwords? Yes. Given two-factor authentication and perfect f...
You know the drill - If it's worth saying, but not worth its own post (even in Discussion), then it goes here.