Since the announcement of the bug there had been some speculation as to what memory would actually be leaked. There were a very few researchers who speculated that sensitive data might not actually be leaked, primarily because of the way servers allocate dynamic memory. CloudFlare ran some internal testing and had trouble confirming that certain sensitive information could be leaked by Heartbleed, specifically the private keys to the server. So, they put up a vulnerable server and challenged the Internet community to break into it. Two people independently snagged the private keys from the server using only the Heartbleed bug within the first day.
Since that time, the certificate authority that issued the server's certificate has revoked the certificate. You can no longer visit the website because of this, presumably CloudFlare will get a new certificate after the server has been patched, for the time being the server is an excellent resource for security researchers. I set one of my servers to exploit their test server and have successfully pulled a memory dump of their private key. It would take a bit more work to get this raw data into the widely recognized PEM format, but I only cared about the proof of concept since the competition has already been "won".
The winners of the competition along with the memory dump I was able to retrieve serve as proof that the Heartbleed problem is as bad as originally predicted. If you ran a server with the affected versions of OpenSSL (1.0.1 to 1.0.1f inclusive) then you need to assume all your private data has been compromised. You need to revoke any certificates, change passwords, and assume everything else has been leaked.