

Ask HN: Heartbleed password reset emails: do I *really* need to change them? - ScottWhigham

My understanding of heartbleed is slight, yes, so I could have this wrong: &quot;Heartbleed allows the attacker to view other sessions&#x27; information stored in memory.&quot; Is that correct?<p>Assuming that is correct (of which I&#x27;m only 75% sure about), why the over-reaction from websites that are proactively changing their entire user bases&#x27; passwords? For example, Soundcloud just (a) logged everyone out, and (b) suggested every user change their password: http:&#x2F;&#x2F;blog.soundcloud.com&#x2F;tag&#x2F;heartbleed&#x2F;. SC isn&#x27;t alone - I&#x27;ve received emails from other large organizations as well.<p>This seems like a huge over-reach. I haven&#x27;t logged in to Soundcloud in probably 3-4 months. Is this over-reaction on their part, misunderstanding on my part of what the vuln exposes, or has it been going on for months&#x2F;years and the sites are only now realizing it?
======
dsschnau
The vulnerability has been there for two years. So any information transmitted
over that time might have been stolen. That's why everyone has to tell you to
change your passwords.

