In the wake of the Heartbleed bug / SSL vulnerability that was widely publicized, one of my customers asked me the other day whether they still needed to change their passwords as they had heard the problem had been fixed. In short, the answer is YES.
Whilst the issue has been largely mitigated, though there are still some 300,000 servers globally at risk, the fact is that even if the server you use has been mitigated there was a period of time during which those passwords could have been compromised, and whilst the door may now be closed there is still a chance that your password is sat out there somewhere in the ether waiting for some unscrupulous hacker.
So to be clear, for any websites / on-line services that you use, particularly the ones that contained Personally Identifiable Information (PII) such as your name, DOB, address, bank account details, membership numbers etc, and on the assumption that those servers have been fixed you should by now have changed your password. It is better to be safe than sorry, so if you haven't already changed your passwords...do it now!