The Heartbleed bug is a serious internet security issue that's even worse than it sounds.
Imagine that when everyone wakes up tomorrow, we all realize something fishy on our front doors. Right beside the door lock, the key to the door has been taped to the door! Anyone who walks by could use it to come and go as they please. Suppose we all also realize that our keys have been taped to our doors like this for two whole years now.
If criminals happened to notice the keys were so handy during those two years, then they've had the run of the place for that whole time. Regardless of whether criminals knew about the keys during those two years, they definitely know about it this week.
This week, all the affected websites are in a mad scramble to remove the keys from their own front doors. At the same time, criminals are in a mad scramble to walk up to every door, make a copy of the key, and put back the original so nobody knows they were there.
Responsible organizations who understand the problem are both removing the keys from the front door and changing the locks. You have to do both, right? If you just remove the keys, any criminal who already made a copy would still be able to come and go as they please. Only after the locks are changed too can the door be considered safe from intrusion.
The scope of the problem cannot be underestimated. Some fraction of the population is taking down the vulnerable keys from all the doors. Some smaller fraction of those folks are also changing the locks. Even if you didn't use your own key on a door during the vulnerable time, some jerk may be able to come and go as he pleases until the locks are changed, too. In other words, your passwords have been visible, and although changing your password is important, it isn't actually enough until the websites themselves change the locks too.