The “Heartbleed Bug,” officially know as CVE-2014-0160, is one of the most far reaching vulnerabilities ever discovered. It allows a hacker to break the encryption on webpages, and steal personal information such as credit card numbers, but more importantly passwords.
When you connect to a secure website, the website uses something know as SSL to encrypt your connection. By doing this, all the data that’s sent between you and the website is meaningless to anyone except those who have the decryption key, i.e., you and the website. One of the features of SSL is that it uses a “heartbeat signal” that is repetitively sent between you and the website to confirm that you are still connected to the real thing. Your computer sends the website a special packet of data, and the website responds with another special packet. Heartbleed exploits a vulnerability in the OpenSSL brand of SSL that allows a hacker to create an abnormal heartbeat packet, which, when sent to the server, will get it to respond with the decryption key. Once the hacker has this key, he can use it to decode all your communications with the website and get more information, like your password.
Not all websites were vulnerable to Heartbleed, but most were. These include Gmail, Twitter, Facebook, Instagram and many more. Even though all major websites, and most small ones, have patched the bug by now, any information that you sent before it was patched could have been stolen.
This is why it’s extremely important that you change your password for all of the online services that you use. A hacker could have stolen your password before the bug was fixed, and has just not used it yet. Keep in mind that this must be done after the site you’re using has fixed the bug. If they haven’t fixed it, then you make your new password vulnerable too. All major websites (Facebook, Twitter, Google, etc.) have fixed it, but when working with a smaller website, like a corporate intranet for example, you should check with the administrator to make sure first.