"Your PayPal account details were not exposed at any time in the past and remain secure. You do not need to take any additional action to safeguard your information."
Undaunted, I replied, asking specifically if they were (or had ever) used one of the vulnerable versions of OpenSSL (1.0.1 through 1.0.1f). The response I received was amusing, to say the least:
"I assure you that your password is not compromised. We do not use an Open SSL in our servers. The SSL certificate that we are using is hyper encrypted and beyond the versions of the usual SSL certificate. It is not affected by the ongoing HeartBleed issue."
Well! Now I'm completely reassured, knowign that they don't use "the Open SSL", and that their certificate is "hyper encrypted".