You know something's bad when experts say, "On a scale of 1 to 10 this is an 11."
The Heartbleed bug is a security flaw that allows hackers to easily snatch your usernames and passwords.
A Google security team found the bug, but it's been out there for two years. Beware. A lot of your personal information like your credit card number may have been compromised.
I'm told about half of all secure sites that are https are vulnerable. They include Facebook, Youtube, Instagram, Pinterest, Tumblr, Google, Gmail, Yahoo, Yahoo Mail, and Amazon, as well as many banks and financial groups.
The good news is that within the past 24 hours a lot of websites have been fixing the flaw, but since we don't know about every single one you'll probably want to wait before changing your passwords.
The best advice is to check with those sites, especially your email and banks and make the changes if they say so and when they say so.