And even as a lastpass user, you'd still have to change passwords as the servers you're authenticating on could be compromised right?
That's true, but it isn't a big deal to do so if all you have to do is generate a new 30-digit random password that you don't have to remember. And, yes, as the blog entry above-linked indicates, LastPass doesn't itself rely upon TLS to secure communications between LastPass and their servers.
One thing to remember...
This bug did NOT simply allow malicious actors to retrieve passwords from systems secured by OpenSSL. It allowed them to dump memory contents from the server,
32K64K at a time, over and over (randomly distributed). That memory could contain your password, sure. But it wasn't just passwords. The idea would be to hit the servers over and over until you get a big dump of their memory contents, and you can look at ANYTHING happening on the server. But I bet any servers being attacked weren't being attacked by password crackers...
No, if this was being exploited in the wild (and to be clear, there's
no evidence one way or the other that anyone knew about this before OpenSSL published the notification), the thing they were most likely after was the private certificate keys. In particular, those of the root certificate authorities, but really any service's private key would be extremely valuable.
Because then you can masquerade as them completely convincingly, and you don't need to crack/steal anyone's password. You just have to intercept the traffic, insert yourself as a MITM, and then the users will GIVE YOU their passwords (if you want them).
I think it is:
1.
Very likely that NSA, and other similar spy agencies knew about this vulnerability and were actively exploiting it.
2. Possible (though impossible to tell) that they inserted it (NSA or someone like them from some country), but equally possible that it was just a mistake. That's the problem with old languages... Forget a bounds check and this kind of thing happens.
3.
Unlikely that criminal enterprises knew about this and were exploiting it to steal stuff about generic end users. Possible, certainly, and they sure-as-heck know about it now, so anyone not patched is going to be hit in 4, 3, 2...
Changing your personal passwords for sites you visit is just not a bad idea anyway, and you never know.
The real issue is replacing your certs if you ran an affected server. If you were using OpenSSL for the past 18 months or so to perform TLS, you have to
assume your cert is compromised, and your private key is exposed.
I'm redoing mine.