Executive Summary: Take a careful look at the problem. It is real. Some passwords may need to be changed.
Small sites are the most likely to reveal information about you to bad guys who know you.
Big sites are the most likely to reveal information about you to bad guys who probably don't care about you.
The result is that the server returns up to 64KB from the server's Random Access Memory. The odds that it includes information about you is inversely proportional to how much traffic the server is handling.
Heartbleed appears to be the result of an honest inadvertent mistake two years ago. It affects a subset of Secure Sockets Layer implementations. You see them as
and the lock icon.
Users, admins, developers: Here's what to do about Heartbleed
Heartbleed is bad, but you can mitigate its damage, albeit via different approaches for users, admins, and developers
This is for users.
Users need to understand that the first steps need to be taken by admins. Two steps are needed. Update OpenSSL and update certificates.
How as a user do you know whether a site was vulnerable or whether both fixes have been applied?
This is the best test I have found.
Any vulnerable site in possession of a password needs a new password. If you have used the same password in other places it needs to be changed anywhere where an impersonation of you may be damaging.
A long searchable list of big vulnerable sites is here.