The Heartbleed Internet-security flaw is very bad, but contrary to many media reports, you don't have to run out and change all your passwords now. In some cases, it might be better to wait, or not do it at all.
First, to be clear, you don't need to change any passwords or PINs you use to log into a Windows PC, Mac or mobile device. For the most part, personal computers, smartphones and tablets are not directly affected by Heartbleed.
Heartbleed affects Web, email and chat servers by undermining the secure connections they make with you. Not all servers are affected, only those that used certain encryption protocols over the past two years. Most servers running Microsoft software, as well as servers that used other encryption protocols, are unaffected.
Furthermore, although Heartbleed was made public on Monday evening (April 7), some companies got advance warning and patched their vulnerable servers beforehand. Among these were Google, which helped find the flaw, and Facebook. (That doesn't mean they weren't hit before they patched; a Heartbleed attack would have left no trace.)
Most companies got no advance warning, including Yahoo, which scrambled to patch its servers Tuesday even as security researchers found it was easy to see usernames and passwords as users logged into Yahoo Mail.
Because of the complexity of the Heartbleed bug, and the way in which the news got out, there are six categories of websites that were affected in different ways.
The following lists only prominent U.S. websites; for a much more detailed list, see this breakdown of the top 10,000 websites worldwide, compiled Tuesday by former LulzSec hacker Mustafa al-Bassam.
Sites for which you will definitely need to change your password
Yahoo, including Yahoo Mail and any Yahoo Group
Flickr (Yahoo subsidiary)
Tumblr (Yahoo subsidiary)
Sites that have asked users to change their passwords, or are making them do so
Sites that were, or may have been, vulnerable to Heartbleed
These sites patched their servers after the public disclosure, and it's safe to change your password on them.
Electronic Frontier Foundation
Sites that may still be vulnerable to Heartbleed
Do NOT change your password on any of these sites until they say they have patched their servers. Otherwise, attackers could capture your new password as well.
Sites that patched their servers before the Heartbleed disclosure
These sites are at minimal risk, but were nevertheless vulnerable over the past two years while the Heartbleed flaw existed undetected. It wouldn't hurt to change your password on these — and to activate two-step verification on them, and on Yahoo too.
Blogger/Blogspot (Google subsidiary)
Google, including Gmail
Instagram (Facebook subsidiary)
YouTube (Google subsidiary)
Sites that were never affected by Heartbleed and on which you don't have to change your password
Bank of America
The New York Times
The Wall Street Journal