TL;DR - This is a big, big deal. Take this seriously for the next few weeks at least and don't think for a second that you're secure.

This is copied from my comment in another post but I think it's worthy of its own place.

Ahem (dons tech guy hat) ... yes, change your passwords. Do it now. But don't make the mistake of believing you're done.

I'm the digital tech lead for a major global retailer (not telling which one!) so when it comes to securing your data in the wake of HeartBleed, I'm your guy. And I can tell you that after 4 very long days, I'm still not 100% ready to call it. Bruce Schneier, who is not in the least prone to hyperbole, says that one a scale from 1 - 10 this is an 11. It's true .. the implications of this breach are staggering.

We like to think of websites as very insular creatures ... if you visit bobs_big_website.com that bob himself is in charge of that data transfer. This is untrue for the vast majority of sites. In fact, bob uses a handful of service integrations (callouts to twitter, for example) and social sign on handlers, each of which have their own infrastructure to handle https requests. Bob can do everything right and you can still be at risk.

This becomes even more convoluted due to some misinformation out there about how to test. One heinous rumor is that Windows servers are unaffected. While this is techically true since they don't use OpenSSL, most servers sit behind a load balancer (which is sort of like a traffic cop for multi-server setups). If that load balancer is using OpenSSL (for example, Amazon ELBs which handle a substantial swath of traffic) then those sites are compromised too.

After all the patching, etc ... the very last step is to regenerate SSL keys and ask/force users to change passwords. But if we've missed any piece (or if any of our integrated services miss a piece on their end) then you're not technically secure. Really, the only way to squash this thing is for everyone to do their part.

It's going to take weeks or longer for a coordinated global effort to unwravel this. In the meantime, I suggest using two-factor authentication wherever possible as well as frequent password changes. And if you use the same password in multiple places (you know who you are), then for the love of $deity, stop that!

UPDATE: One of my colleauges just passed out this handy reference list of which sites are confirmed affected: