According to Andrew Storms, organizations should also rotate keys on all affected systems. "This will mean you'll need to regenerate SSL certs and get them signed by your certificate authority."
Keanini warns businesses not to focus only on external-facing servers, or even on only their own servers. "They should also check internal systems as malware is sure to use this method to harvest credentials. Also, make a list of business partners, make sure you check them and educate them on the seriousness of this bug in their IT infrastructure."
Should everyone change all of their passwords?
The answer is, "Yes"...but maybe not just yet.
Everyone should reset all passwords because there is no way to know which, if any, have been compromised. With an issue that affects virtually every site and service on the Internet, it's fair to assume your passwords were potentially compromised. However, there is little point in rushing to do it before the sites have patched and updated, otherwise your new passwords will also be exposed to the same issue.
As Andrew Storms puts it, "Whether or not you need to change your password due to this specific bug is a personal decision. But changing your password on a regular basis is a good idea."