CVE-2014-0160 is the official reference to this bug
As Caolan Greene just mentioned on his blog Half a million sites are vulnerable, It is otherwise known as the Heartbleed bug.
It allows an attacker can grab 64K of random memory from a server multiple times while he leaves no trace.
Anything can be in that memory location like SSl private keys and user keys.  According to Bruce Schneier who has been  writing about security issues since 2004, the bug has been patched. Even so he says that “after you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.”