The good news is that until mid-March, we were using a version of OpenSSL that was not vulnerable to the HeartBleed bug.
However, in March we started migrating sites to a newer server OS that included the infected version. So for about 20 days, until our OpenSSL was updated on April 9, our sites were vulnerable.
As of April 11, we have re-keyed all of our SSL Certificates, and changed important passwords related to our domains and infrastructure.
Should you change your password?
Given the relatively small window of opportunity for attackers to exploit the bug on our servers, and the availability of much more prominent sites to attack, we are not requiring you to change your password.
If you logged in to your website in the last 3 weeks, there is a chance that attackers may have been able to capture your password or other private information during that time. You should go ahead and change your password.
If your website password is the same as one you use on other vulnerable sites, such as GMail, Dropbox, Yahoo, or GoDaddy, then you should change your password. Attackers have almost certainly used this bug against prominent web services in the last 2-3 years.
If you have any questions or concerns about this issue, please contact me.