"We attacked ourselves from outside, without leaving a trace," they wrote. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
I would not treat this lightly. This affects more than half of the internet as OpenSSL is the most popular HTTPS encryption service. Websites ranging far and wide from CubedHost (a humble Minecraft server host) to Google and Facebook use this method of encryption.
None of this is logged. This is a completely untraceable attack as of right now. Change all of your fucking passwords on websites you know are "fixed".
Google, Apple and Microsoft, alongside many e-banking websites have been reported as unaffected. You can use this tool to check the security of websites you use that use HTTPS encryption (obviously it won't matter on anything that doesn't use OpenSSL like this site), though I am wary on the reliability of that thing.
Source: http://arstechnica.com/security/2014/04 ... sdropping/