We’ve just sent the following announcement email to all FastMail users.
Dear FastMail User
You may have heard of a recent security bug in the OpenSSL library (that has been called 'Heartbleed') used by two-thirds of the Internet including ourselves and other major sites like Amazon, Google, Yahoo, etc. FastMail was quick to update its servers to fix this bug and issue new SSL certificates as soon as we were made aware of it.
We have no reason to believe any of our servers were targeted or exploited by this security flaw, but given the nature of the flaw it's impossible to know if this bug was being exploited before it was announced.
Because of this, we are recommending that all FastMail users logout of all existing sessions and change their account passwords.
Again, there's no evidence our servers or your password have been compromised, but we're recommending this as a precautionary measure.
If you hate remembering passwords, we recommend you use a password manager program to remember them for you. Most modern browsers (e.g. Firefox, Chrome, etc) have a password manager built in and will offer to remember your passwords for you. LastPass and 1Password are also popular choices.
When you choose a new password, it's important that you do not use the same password elsewhere and choose a password with reasonable complexity.
Your email is often the key to your online world. Many sites let you reset your password by sending a reset code to your email address. When you reuse your FastMail password at other sites, you're making it much easier for attackers to potentially break in to your email account. Other sites often don't have the same high security measures as FastMail (such as compulsory HTTPS, locked-down servers, etc.), which makes them much easier for criminals to break in to. If they hold your email address and the same password that you use for FastMail, the attacker can then access your email account and get into everything else you use online.
If you're using alternative logins already, we recommend you delete and re-add them with any base password changed.
To change your password and log out of all existing sessions, you can use these steps.
Again, this is a highly precautionary measure. FastMail is extremely concerned about security and has always tried to be highly pro-active with keeping our customer's accounts and data as secure as possible.
The FastMail Team