How is this still not answered?  Anywhere?

I hate it when people try to gin up importance in their posts with something like "I'll never buy from Verizon again", but this is literally stopping me from buying multiple phones (and also stopping me from logging in to view my bill, account usage, etc).

Its just completely unacceptable to not put something somewhere(front page?  forums?  FAQ?  >anywhere) indicating if the site was vulnerable and whether or not its been patched.  The only vague indicator we have is the age of the SSL certificate, which is several months old, so that's bad at the least.  And on top of that we have to log in to interact with support in any way?

c'mon VZ...  A little effort please.

That's progress, but not very reassuring.

#1 - the vulnerability hit major news outlets 2 weeks ago.  That's 2 weeks worth of hackers hitting any site with a large number of users and personal (especially financial) information (which Verizon certainly qualifies for).

#2 - the vulnerability will leave no "evidence of any compromise".  If a hacker attacks the site, and gains access to personal information, there is no way for Verizon to know.

#3 - the vulnerability can not be detected, but it can be patched.  Easily.  I work for a company that provides an online service, and it took us about 4 hours to patch 20 public facing servers and request new SSL certificates.  We have 2 admins.  Verizon certainly should have more.  Both of these steps are critical, and just not that difficult.

#4 - "to follow good online security practices, including choosing unique passwords and changing them periodically" - This is actually TERRIBLE advice in the face of heartbleed.  If a user has not logged in for months, and their data is not currently compromised, and Verizon is vulnerable - then logging in to change a password could in fact subject their information to attack when it is otherwise safe.

To repeat - the ONLY path to acceptable solution here is:

   1 - Verizon needs to verify if they use OpenSSL on any server systems.  Note that other than IIS (Microsoft) servers, this is estimated by some to affect 80% of public servers.

   2 - If they do use OpenSSL, do they use one of the affected versions.  This is likely, as it affects every version released for the past few years.

   3 - If one of the affected versions was used, there is no way to detect if a breach occurred.  Encouraging people to change passwords in this case could be disastrous.  Verizon first needs to patch all affected systems, then obtain new server SSL certificates, and then notify all customers to change passwords.

   4 - Preferably Verizon would work with a major news outlet (Mashable is currently taking the lead on this issue) and provide details.

Again, I for one would like to order multiple phones for my family, but can't justify doing so until a clear response to this is provided.  If this lags long enough for the buy one/get one promotion to expire, that might actually be enough to make me consider switching providers.  Saying "we haven't found anything yet, but you should go ahead and change your passwords" is terrible advice.

Thanks.

Agreed heartbleed. Excellent response to Verizon. The Verizon response is irresponsible to say the least. Basically, "we still haven't figured out if we are vulnerable yet, we are still looking". What? It begs the question, who are you Verizon? I have worked for a large corporation before and sometimes the right hand doesn't know that the left hand is doing, but this is crazy. Companies much larger have responded to the threat - 2 weeks ago!

I am concerned Verizon. You either don't care about your customers data or you are just plain ignorant. Perhaps both.

Lovely.  Now the buy one/get one promotion for the G5 has expired, and this is still not addressed.  In my opinion that effectively costs me $200 for that second phone.

Let me show you how this is done:

• Sprint Community: Announcements: Heartbleed Bug - Sprint.Com Unaffected
  
  Sprint's director of IT confirmed authoritatively that Sprint was not affected.  Not "we have no evidence of compromise".  Please understand that there is an enormous difference between those two statements

And not done:

• AT&T on Heartbleed & OpenSSL
  AT&T is taking a similar approach to Verizon, that "no evidence that the Heartbleed vulnerability has been exploited in our infrastructure or service components".  That statement of course is completely useless - if any IT person takes the time to read 5 paragraphs on the Heartbleed bug, you'll realize that no evidence is left of an attack.  Either you were vulnerable or you weren't.  Tell us, stop looking for evidence.
  
  
• Space Search | T-Mobile Support
  T-Mobile might be the worst of the 4 - they are providing no response whatsoever.  Then again, I question their users for not really even posting questions.

My family plan runs close to $250/month, or $3,000/year.  If Sprint offers any kind of reasonable phones and plans, you have just lost that Verizon.  And why?  Because you can't simply take 5 minutes to log into your web servers and run 3 commands:

• openssl version
  If this says anything less than 1.0.1g, tell us, and fix it below
• apt-get update ; apt-get upgrade (if you're on a Debian system)
  yum update (if you're on a Fedora/CentOS system)
• Contact your SSL certificate provider and request new SSL certificates
  

Really - this should take 15 minutes.  I've done it, and I don't hold millions of dollars in revenue in my hands.  How is this not your top priority?