Would be easier to believe dev when he said probably bug in php than blaming heartbleed now.  My head spins!

Dev said only high value cave accounts attacked.  So attacker hammered server w/ heartbeat requests for long time and got lucky finding some passwords in memory.

And must be just at right time when high val accounts were logging in else 99.99999% chance memory overwritten (plus password not always exposed w/ heartbleed...high val accounts must have logged in many many times to get lucky!).

Then somehow tied those passwords to only biggest accounts.  Oh yeah almost forgot...need to know username and pin too!

Oh wait dev said in irc noticed gmail account hack of biggest accounts too...remember?  So bad guy hacked gmail too, or planted virus assuming *all* high val accounts use windows.

Username ok, could be plain texted in email.  But pin was plain texted in signup email?  Cant be...then no security for pin!  Where did bad guy get all these pins for high val accounts?  Only if pin was plaintexted back and seen in memory (w/ password at same time...not guaranteed!).

Else only way to see is w/ db hack and unsalted fields...which is bad security not heartbleed.

All so this bad guy could get maybe a couple $k of precious dgc from low profile exchange...

Really fishy smell.  But many many gullible guppies in dgc pool so perfect convenient excuse...win-win!