There are so many options for this exploit, everything that uses openssl is exposed this is even IRC. Anything when using ftp with ssl encryption etc. Basically if openssl is used in any programme and it's activated (actively used). From my understanding it is open for users to decipher private information. It's hard not to scare people with this exploit but the capacity of people to actively start harvesting information at this point is quite negligible. Definitely change your passwords though until sites and software update their openssl platforms to the fixed version.
If you take anything away from this: assume the worst, change all your passwords.
Also it's a concerted effort, educate the websites etc that you use and tell them they need to upgrade/ or switch to an alternative:
https://www.openssl.org/news/secadv_20140407.txt