... and there doesn't appear to be any indication that it's been exploited.
At least not on a large scale, it seems. I'd like to point out, however, that there is a continuous and sizeable 'background' of internet hacking/theft going on. While much of that can be attributed to one or the other exploit, it doesn't cover everything else, including Heartbleed. After all, any smoking gun would have to unequivocally link abuse of stolen data with Heartbleed. Unfortunately, that's only indirectly possible (i.e., after abuse pattern analysis), because when used the exploit leaves no traces on affected servers (except, possibly, in custom transaction logs). And, as you suggested, there's not much of a pattern yet. On the other hand, if someone had indeed stumbled on this flaw and exploited it*, it's not unreasonable to assume that it probably wouldn't have remained a secret for long.
That said, I'd like to remind you that the flaw can be used to access already recorded data, as this is not affected by any post-hoc patches applied to the relevant servers. Note that this data may have been recorded in the window between the flaw's recent revelation and its patching, and that window may still be open on servers you have dealt with. This explains the now frequently heard advice to check your financial transactions carefully for unauthorized activity.
*) Despite a comment in an earlier post I didn't mention the possibility here that the NSA knew and kept mum about Heartbleed to be able to exploit the flaw, because I figured that would be beyond the pale even for that organization. It seems I was doubly wrong, and that now appears to have been the case, although it's been denied by the White House. If you needed proof that the current policies of US intelligence agencies may cause more damage than they prevent, this could be it.
Last edited by alternaut; 04/11/1411:39 PM. Reason: Added breaking news
