If This Then That (IFTTT, one of our favourite automation services) has just emailed customers to say that it has updated its SSL service so that it is no longer vulnerable to the Heartbleed security bug. I suspect we’re going to be seeing a lot of emails like this over the coming weeks.
Here’s the relevant text from the IFTTT email:
A major vulnerability in the technology that powers encryption across much of the internet was discovered this week. Like many other teams, we took immediate action to patch the vulnerability in our infrastructure. IFTTT is no longer vulnerable. Though we have no evidence of malicious behavior, we’ve taken the extra precaution of logging you out of IFTTT on the web and mobile. We encourage you to change your password not only on IFTTT, but everywhere, as many of the services you love were affected.
As we noted in our writeup of Heartbleed, the sensible time to change passwords is after a given site has confirmed it is no longer vulnerable. If you change your password on a still-vulnerable site, there’s no guarantee the update might not also be subsequently accessed by a malicious hacker.