It may seem alarmist to suggest changing all passwords, but since vulnerable webservers could have their entire memory contents dumped remotely, and since we have no idea which sites were vulnerable over the 2 years this bug has existed, the safest course of action is to assume all passwords are compromised. At the very least you should be changing passwords for the sites that are known to have been vulnerable when the news broke.
As
this article points out, though, you shouldn't bother changing the password for a site while that site is still vulnerable (and if it is still vulnerable, you should probably not use it until it's fixed). When the dust has finally settled, though, your passwords should definitely all be changed.