The heartbleed exploit has disclosed arbitrary server memory, as we speak people are using this to steal session tokens from major services, and using them to log in as effected users.
THIS DOES NOT REQUIRE A MITM TO IMPERSONATE USERS.
Even if the servers have been patched, most do not seem to be invalidating their old sessions, so old stolen sessions will continue to work.
Some major services that did not expire sessions include facebook and steam, which patched openssl but didnt expire tokens.
Friendly note to any devs patching openssl today, please expire your sessions.
https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/