By now you might have heard of the Heartbleed bug (CVE-2014-0160). The bug is a vulnerability in the popular OpenSSL cryptographic software library. The Heartbleed bug affects any sites and services running specific versions of OpenSSL (1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1). The bug received its name from an SSL function called heartbeat, which sends out a pulse to check the connection status. The bug allows spoofing of this “heartbeat” function and potential access to the server. The bug was a programming mistake in the OpenSSL library that provides cryptographic services. There is a fix available now and affected systems should upgrade to OpenSSL 1.0.1g. Systems unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. For now, you should treat every website you have visited as being insecure. We recommend that you generate new passwords for your most critical websites after the vendors have updated their servers. Also, develop a plan on how to respond to your customers.
Here is a list of major services affected including whether or not you need to change your password with them:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/