Username comments on My Heartbleed learning experience and alternative to poor quality Heartbleed instructions.

Note that a sysadmin might e.g. react immediately to patch their company’s servers, revoke keys, etc., but be far more lax about changing their own passwords.