At first only passwords were sniffed out by the heartbleed exploit. Now it appears private keys are being taken as well!
This means hackers can use forged certificates of bankofamerica.com, google.com, and other sites since they can sign their own certificate of authority with the stolen keys. This is bad even if the web servers are patched it means the keys must be remade as well. Lets hope GooglePlay store and others are not compromised as a change of private keys would make the store inacccessible on older phones too.
private keys are being taken as well.