First of all, credit to TM Ownership (and presumably internal security staff) for responding to this. The password requirement improvements and communicating a vulnerability reporting process is progress.
However, this post really feels like an earnest communication effort from a security department overly edited by a marketing department, removing the ability to know the precise security situation. By 4/15, it is clear that most web sites that were vulnerable to Heartbleed were no longer running the vulnerable versions of OpenSSL, nor had they any evidence of exposure. (There would typically not be any evidence left in a successful exploit of Heartbleed.)
What would be a better statement to make is whether Tesla was running a vulnerable version of OpenSSL during this period and that it was patched since. In that scenario, there was clear possibility of a leak and we should definitely rotate passwords - indeed many sites are requiring it. Given that you recommend that we all rotate passwords, I assume that is the case but it's a pity you are not clearer on the subject, as many web sites have been.
These two statements seem in conflict in the context of Heartbleed:
> Your account details remain secure.
> we recommend that our customers change their passwords as an added precaution.
How do you know our account details remain secure if there was ever Heartbleed exposure? If there was never exposure, please say so.
Thank you!