A “zero day” attack for this Open SSL flaw has been undetected for two or more years. The changing of static passwords at least annually is always a beneficial best practice. Some of the MAJOR impacted sites are listed below:
IMPACTED SITES YOU SHOULD SHOULD CHANGE PASSWORDS FOR: Yahoo, Flickr, Tumblr, Blogger/Blogspot, Dropbox, Facebook, Electronic Frontier Foundation, Etsy, Google, Imgur, Instagram, Netflix, Pinterest, Stack Overflow, Twitter, Wikipedia, Woot, WordPress.com/Wordpress.org and YouTube
SITES WITH STRONGER SECURITY AND NOT LIKELY IMPACTED INCLUDE: Amazon, AOL, Apple, Ask.com, Bank of America, Bing, Buzzfeed, Capital One, Chase, CNET, Craigslist, eBay, ESPN, Evernote, GoDaddy, Hotmail, HSBC, Huffington Post, Intuit, LinkedIn, Live.com, Microsoft, Newegg, The New York Times, PayPal, Reddit, Salesforce, Target, TD Bank, Walmart, Wells Fargo and Zillow.
MAJOR SITES INITIALLY IMPACTED (While most sites have been fixed – if it was on initial list as vulnerable Passwords should be revised) https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
SITE TESTING LINK (many sites with special security controls may not allow test to work) http://filippo.io/Heartbleed/
GOOD CONSOLIDATION OF IMPACTS & GUIDELINES http://www.tomsguide.com/us/heartbleed-bug-to-do-list,news-18588.html