First off, know that I alerted Alan & Iris Lily to this first thing this morning (Pacific time) and Alan verified that the SLF log-in does not use HTTPS - which is the encryption method that has the vulnerability. However, goDaddy hosts our website, and it was vulnerable, and they have patched that vulnerability (http://godaddyblog.com/open-ssl-heartbleed-weve-patched-servers/). Not that SLF stores any sensitive data of yours on the server, but I think it's wise for people to change their passwords just as a precautionary measure (and I'll post this recommendation in other appropriate areas.)

As far as I can tell from the limited reporting so far, this vulnerability has been active for possibly up to two years (when the vulnerable version of the software was published.) Any website that you logged in to that uses HTTPs:// may have been compromised. So I would advise you to check the websites on which you are registered and may have logged in. Just going in and changing your password will not necessarily protect you -- UNLESS you know that the website has applied the upgrade that closes the back door. Otherwise, you're just giving the hacker your new password. So before you log in anywhere, go to the place on the site where they give news updates, or support, or contact them directly to check if they were vulnerable to Heartbleed in the first place, and if so, have they fixed it. And if so, in addition to changing your password, review what transactions you may have done through that site. If a sensitive-data transaction has occurred there in the last two years, be on alert that information may have been compromised.

Today I checked the online banking user agreement for Wells Fargo. WF was NOT vulnerable to this attack, but I was just curious -- looks like their new online banking user agreement (which I have never agreed to, though they tell me they will cut off access if I don't) says in very vague terns that users have no claim against them if they are robbed as a result of accessing online banking. I imagine other banks' agreements may say the same. So don't think that your bank will take care of you -- as the Russian proverb goes, so often attributed to Reagan: Trust, but verify!

A little further information on the subject:

This website (http://gizmodo.com/how-heartbleed-works-the-code-behind-the-internets-se-1561341209) goes into detail about what exactly happens with the Heartbleed bug.

Basically, two computers stay connected over a HTTPS connection by passing information between one another. The computer receives some random information, copies it into memory, then grabs that information from memory and sends it back. This is called a "handshake" or "heartbeat". The bug works by (falsely) requesting more information than is needed, meaning that the hacker gets not only the random information that is sent, but also a big chunk of information that was in computer memory as well.

One important thing to know is that computer memory is never actually "empty" while the computer is running. Data is stored in memory, but isn't erased when no longer used. Rather, computers simply tag the memory as "junk data" and allow the computer to overwrite it when that part of memory is needed. (This is how deleted files on your harddrive work as well, and why it is possible to recover a deleted file.) The bug makes the server return this "junk data" still in memory, which can include passwords and other important information. And while there is a limit to how much data a person could get with a single "heartbeat", there is no limit to how many times that person could request it.

For anyone interested in checking the status of their favorite e-commerce or banking sites, this tool (https://lastpass.com/heartbleed/)will allow you to check its vulnerability status.