Your Drupal site was probably affected by Heartbleed, the encryption bug that opened security holes on sites across the Internet. Although the bug had nothing to do with Drupal, you still need to do two things to secure your site.
Step 1 is straightforward: check with your hosting company to see whether they've secured your server, and whether you need to do anything. They may tell you to get your security certificate reissued. If so, follow their instructions.
But Step 2 could easily be missed. After you've followed all the instructions from your hosting company, here's one more step: force a password change for all your users.
If your server was vulnerable to Heartbleed, all those user passwords could (in theory) have been tidily collected somewhere. Again, this vulnerability isn't specific to Drupal, it's just all part of the tasty, slightly post-apocalyptic delight we're calling Heartbleed.
Not all sites out there are forcing password changes, but why not? The tiny hassle is a small price to pay.
Drupal doesn't come with a built-in mechanism for forcing a password change, but when has that ever stopped us? Check out the excellent Password Policy module. With a couple clicks, you can force a one-time password change for every single user.
Seriously. Go do this now. Internet-wide security breaches don't happen that often. Wipe those old passwords before one of them wipes out your site.
Learn more about the Password Policy module.