Most websites may already be completely pwned by the Heartbleed Bug The Privacy Blog:
It is unknown if, or how often, this attack has been run in the wild. It is entirely possible that major players, like national intelligence services, may have known about this for some time, and could have been silently intercepting traffic to certain websites, potentially for over 2 years.