Heartbleed but - does authorization matter?
Non-authenticated users who access a site anonymously can theoretically access any memory in the server's process space. Fortunately, it appears the attacker cannot control what area of memory he/she reads. The attacker happens to get memory around the Heartbeat Message (wherever that memory happens to be).
Authentication often occurs with passwords. Authorization usually occurs using a token or cookie. The token or cookie is a product of a successful authentication. Those secrets can be found in memory, too. Hence the reason that passwords and sessions were also reset.