This is one of these things of which you think "Ah, what are the odds of me being affected?" but quickly changing to "This is pretty bad..." and finally to "FUCK FUCK FUCK, WHY?".
Two years is a long time, people. If ordinary people can write proof of concepts in less than 24 hours after it is publicly disclosed, what to think of those getting paid to find and abuse such bugs? I mean, what are the odds this bug was not abused in production environments the past two years?
It might be a coincidence, but last month I received an alert that someone tried to sign in to my hosting control panel using a correct password (which was long and random), but was blocked by a geo-filter (which blocks requests outside of my country) fortunately. I do not know up to this day how my password did leak, and that's one possible candidate cause.
Someone broke into my yahoo account a month or two ago to send spam. I changed passwords quickly enough.
It was low-priority, but looking at the passwords that people have captured from yahoo's servers, I used a very very common password theme. Also, a lot of Yahoo users were born between 1970 and 1975.
I had similar issue with my email account. The password is only used for that specific service and I got a notification yesterday that someone had tried to access the account with correct password.
Really I can only assume that there are plenty of other bugs out there. It's just a matter of how few people know about any of them. I dunno, keep your secrets close. PGP. Meh.
Two years is a long time, people. If ordinary people can write proof of concepts in less than 24 hours after it is publicly disclosed, what to think of those getting paid to find and abuse such bugs? I mean, what are the odds this bug was not abused in production environments the past two years?