The bug relates to https sites. The concern is that when you log in to a https website secured with OpenSSL software it is possible to obtain the encryption keys and therefore obtain personal details such as passwords, credit card details etc. The problem is in the end-to end encryption e.g. between you and your bank and therefore a VPN does not give any protection in this case.
Here's an easy to understand article:

  • A bug fix is available, but the fix may not have been implemented on all servers. You can test servers for Heartbleed vulnerability here:

https://www.ssllabs.com/ssltest/index.html. If you find an insecure server be wary about giving your password and change it after they secure the site

  • There's no knowing if a system has been attacked or not - the hole has been open for a couple of years already! Also, unusually there would be no trace of the hackers after data had been stolen.
  • Android and Apple are not immune – it is the Linux servers that are affected.
  • The pundits recommend changing passwords because many people have one password for multiple accounts. If a website did not patch the bug in time, and hackers exploit it, they have that one password, and therefore access to all of your accounts using it. No point in changing your password unless the Server has been patched !

Here are two technical articles addressing the problem

Updated by Peter following feedback from Members

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License