Heartbleed is caused by a vulnerability in OpenSSL cryptographic source code library. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
The vulnerability allows hackers to send a cleverly formed, malicious heartbeat message that tricks a web server into divulging sensitive information, including usernames and passwords. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.