Some versions of a piece of code widely used on web servers that is used for secure transactions (eg.account login) has contained a bug since 2012. The upshot of which is it has been possible for around 2 years to see your passwords if you visited an affected web site.
For all those using the same password this is a particular disaster because they are all exposed by just the one afflicted site.
The word is that no-one knew about it until about a week ago but you probably shouldn't rely on that.
The problem now is:
If you don't change your password someone may have it. If you do and the website has not updated their servers then someone may get both the old and the new!
Websites should be contacting their customers and telling them to change their password if they were affected and they have fixed it. Ideally those not affected should let you know they were not affected. But there seems to be very little response.
These two links contain lists of some of the few who seem to have declared their position: