Most of us are a little slack about changing our passwords, unless the system forces us to do it regularly. Regardless of whether your accounts were affected by the Heartbleed bug, this would be a good reminder that passwords should really be changed regularly. Or occasionally. Or once in a great while.
However, if the website hasn't patched their system yet, you should wait until the patch has been implemented before you change your password, or change it again after the patch has been put into place. Unfortunately, many companies are not informing their customers whether or not they were affected by the Heartbleed bug. I understand that it might be a little embarrassing for these companies, but I think it is awful that every company is not keeping their customers up-to-date on this important security issue.
CNN has a webpage where they are supposed to be keeping an updated list of companies who were unaffected or who have patched their systems against this intruder. I can not vouch for how regularly it is being updated, but it is better than no list.
Major military-affiliated companies and organizations that have addressed the issue:
Defense Finance and Accounting Service (DFAS) states that its system was not impacted by this bug.
USAA has explained how their systems have been affected by the Heartbleed bug. Short answer: no signs it was compromised, but please change your password anyway.
Navy Federal Credit Union has assured members that their system does not use the technology that was impacted by Heartbleed.
Internal Revenue Service: the US tax agency does not use the technology targeted by Heartbleed.
Even if your account was not affected by the recent situation, this could be a great time to make a clean sweep of all your passwords and start fresh.
