Allegedly, on or about 10 April 2014, Patrick O'Callaghan sent:
Did you also change your passwords on every vulnerable site which has since been fixed?
That will be a major pain. The one address offered to check whether a service was patched was overloaded when I tried it, and probably always will be. So you go around changing all passwords, to be safe. And will have to continue doing that until you're sure that it's safe (which is never, really).
I wonder what the outcome will be if your bank account gets ripped off due to this, for example. Can you hold the bank liable, or are they going to say it's your problem? My simple look at the information provided looks like it's a server and client problem.