Context: I want to give some insight as to why I (and others) voted for "not changing password, not very worried" and as to why the company is not telling everybody to change password immediately.
I agree that the fact that patches were needed does imply that they were running the bad OpenSSL versions. The company is saying, on the record, that people do not need to change passwords. And this matches what I am hearing informally from friends who work there.
Is it good hygiene to change passwords? Yes. Given two-factor authentication and perfect forward secrecy, it might not be super critical though.
The company is saying, on the record, that people do not need to change passwords.
Let me ask an important question: how does Google know? A successful Heartbleed attack leaves no traces unless you're logging all the packets you received in pretty ridiculous detail.
Bruce Schneier says: "At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies." I consider his opinions to be credible.
Update: Bloomberg says: "The U.S. National Security Agency knew for at least two ...
You know the drill - If it's worth saying, but not worth its own post (even in Discussion), then it goes here.