That has got to be bug of the century... if not ever.

Implies that for 2 years since code was released anyone running a server using openssl 1.0.1 (upto 1.0.1f inclusive) an attacker could silently (i.e. no logging or trail) download the ssl private key off the server. And then if they could intercept any ssl traffic between server and client they could then decrypt that data (again silently leaving no trace). And could have been doing that for 2 years.

Or have I got the wrong end of the stick here?

This implies that every users need to change every password on every site that was using 1.0.1?

Refs:
https://heartbleed.com/
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3;hp=0d7717fc9c83dafab8153cbd5e2180e6e04cc802
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit