Just logged in today to change my password after the revalations about Heartbleed, and was astounded that you didn't preemptively force a password reset.
For those reading this who don't know, Heartbleed is a vulnerability in, basically, the underpinnings of secure Web traffic (the OpenSSL implementation of the TLS/SSL protocol), which makes it possible for hackers to potentially get your passwords right out of a server's RAM. It is prudent, with the revalation, to change all your passwords soon - especially those protecting sensitive data like card numbers.
From filippo.com/hearbleed, PayPal IS VULNERABLE. The tool is actively able to exploit the bug.
This must be addressed immediately, gonna email tech support now.
It is my understanding, per the CNN article below, that if PayPal uses the affected SSL it must be patched before changing your password or your new password would be compromised as well. I am curious if PayPal even uses the openSSL or if they have their own proprietary code written themselves. http://money.cnn.com/2014/04/09/technology/securit
According to my bank which stated about heartbleed they listed paypal.com as company infected as well as amazon.com. Here is link to the bank release I received today. https://www.ffb.com/542.htm
I just checked LastPass and they show that as of April 9, 2014, PayPal IS vulnerable:
You can check any https url with the tool above to determine if any of your other "Trusted" sites are also vulnerable.
What the various HEARTBLEED BUG checkers can do is determine what server software is using for https access to the server.
For example, in the case of https://paypal.com this is the report
Detected server software of Apache-Coyote/1.1
That server is known to use OpenSSL and could have been vulnerable.
The SSL certificate for www.paypal.com valid 2 months ago at Feb 19 00:00:00 2014 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.
It is incumbent on Paypal to report the facts.