UPDATE 1-American Funds advises password changes, cites 'Heartbleed' risk

(Adds comments from American Funds spokesman)

BOSTON, April 16 (Reuters) - American Funds, one of the largest U.S. mutual funds families, sent an email to 825,000 shareholders on Wednesday advising them to change user names and passwords, citing "a very narrow window of risk" related to the "Heartbleed" Internet threat.

The notice said the risk applies to customers who logged into Americanfunds.com from Dec. 12, 2013 to April 14. In addition to changing user IDs and passwords, it advised them to create new security questions and images, and delete history and "cookies" from Web browsers.

Worries are growing about the potential fallout from a major security bug in a piece of software known as OpenSSL that is embedded into about two-thirds of the world's websites and products from many technology vendors.

Experts say hackers could to steal vast quantities of data from websites secured with OpenSSL without leaving a trace. On Tuesday, Canada's Tax authority became the first major organization to report an attack related to Heartbleed, and more are expected.

American funds spokesman Chuck Freadhoff said his firm does not believe it has been breached and issued the notice "out of an abundance of caution" after learning that a vendor had been "affected" by Heartbleed. He declined to elaborate or identify that vendor.

"We have no evidence or belief that any information was used to gain access to any shareholders account," he said. "In fact it would be almost impossible to access a shareholder's account and transact, given the multiple layers of security within the American Funds system."

American Funds, which is part of closely held Capital Group Cos, is the No. 3 mutual fund family with $1.1 trillion in assets under management at the end of December, according to Morningstar Inc.

(Reporting by Jim Finkle. Additional reporting by Toni Clarke, Ross Kerber and Tim McLaughlin Editing by Richard Valdmanis and Richard Chang)