One of the largest U.S. mutual fund companies, American Funds, is warning that its investors may be vulnerable to data loss through the Heartbleed bug.

The firm, which boasts more than US$900 billion in assets, announced that it has determined that there is a risk to those who logged into its site between December 12, 2013 and April 14, from the bug — which is a vulnerability in a version of popular encryption software.

“The risk, though quite remote, involves information that passes through servers maintained by one of our vendors,” the company says, noting that the vendor installed a security patch before news of the bug was made public. And, American Funds stresses, that it has “no information to suggest that any investor passwords or account information have been compromised.”

Nevertheless, the company also advises accountholders who logged into the site during the period in question to change their user ID, password, security image and security questions. Additionally, it recommends that users delete their browsing history and “cookies”, and that investors remain vigilant for any suspicious activity in their accounts.