Jammerwoch (73739) writes "In the process of verifying that my critical accounts had patched their OpenSSL implementation and re-issued their SSL certificate before changing my password, I noticed that PayPal had not addressed issue: not on their blog, in their support pages, or anywhere on my account page. I also noticed that their SSL certificate was issued in February of 2014, before the vulnerability was discovered. So I contacted support to ask if they had addressed the vulnerability. The first response I got was this:
"Your PayPal account details were not exposed at any time in the past and remain secure. You do not need to take any additional action to safeguard your information."
Undaunted, I replied, asking specifically if they were (or had ever) used one of the vulnerable versions of OpenSSL (1.0.1 through 1.0.1f). The response I received was amusing, to say the least:
"I assure you that your password is not compromised. We do not use an Open SSL in our servers. The SSL certificate that we are using is hyper encrypted and beyond the versions of the usual SSL certificate. It is not affected by the ongoing HeartBleed issue."
Well! Now I'm completely reassured, knowign that they don't use "the Open SSL", and that their certificate is "hyper encrypted".