For WiseCash, I first verified the situation, and was lucky to see the server itself wasn’t affected (like most people at EngineYard not using an ELB).
I felt that as a customer myself, I would have loved to be notified, so I sent this (inspired by Honeybadger):
last night, a severe OpenSSL vulnerability has been disclosed (HeartBleed).
Your WiseCash data is safe - we do not use a vulnerable version of OpenSSL.
Despite this, I’m in the process of renewing all our keys gradually, because your data safety matters to me.
Have a great day,
PS: I’ll be adding an annual plan soon (one month free, only one transaction). Reply to this email if interested!
In retrospect (but well tough and tiring day, since I had to handle Heartbleed for my freelancing clients too), I should have phrased it better to be more explicit about the difference between the server and the third-parties I rely on too (which have access to a very little part of the data, but still).
I then made due diligence again, opened a google spreadsheet, and tracked down literally all the services I’m using (even remotely), writing down who had made a statement, in order to change the credentials /after/ they have fixed their systems. I still have a couple of keys to rotate on non critical bits, because not everyone has yet communicated. I also changed the Rails secret and reissued SSL certificates (even if not useful since the server isn’t vulnerable), mostly to train myself to handle this.
Later on, I explained what I did in a short blog post, which I linked from the sign-in form to make sure people would be aware.
A couple of customers replied, thanked me for the handling of the situation.
Some asked for the annual plan I proposed in PS too, which is nice
Looks simple in retrospect, but I’ve been pretty concerned the whole time!
Hope this helps,