> To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.<p>This should be rewritten: <i>Any data sent to or from users of your website during the time the bug was live is potentially cached permanently. This includes all session identifiers, passwords, email addresses, and PII that was sent or received by your website. We recommend immediately rotating session secrets to prevent session hijacks using this data, notifying all you customers and forcing password resets.</i>