About the heartbleed bug
The secret keys can be leaked from the service or hosting provider, which allows an attacker to decrypt any encrypted traffic to the web server, such as passwords. The attacker can then use e.g. the credentials to authorize as the user. Off course all other confidential or private information is exposed by this security flaw as well. To point out the seriousness of this vulnerability, some of the most known companies that has been exposed to the heartbleed bug is: Google, Yahoo and Instagram. It still haven’t been confirmed if Facebook was affected by the Heartbleed bug
Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
You should change all your passwords after the hosting/service -provider has confirmed that the system is patched. All companies which knows about security, big as small, should at this time have patched the security flaw.
Here’s a good list of well known companies that was affected and if they have reacted: