If you still haven't changed your passwords to websites affected by the Heartbleed bug, then beware, hackers may be targeting you.
"Hackers are looking for those who haven't yet changed their passwords and for services who did not install a patch quick enough," said Christopher Hadnagy, chief human hacker at the security consulting company Social Engineer.
It's been almost a month since the Heartbleed vulnerability was revealed, yet according to a recent report by the Pew Research Center, only 39 percent of Internet users who knew about the bug changed their passwords or canceled their accounts.
"People just aren't changing their passwords and they are using the same password over and over again, and they are completely oblivious to how dangerous this is," said Robert Siciliano, a McAfee online security expert.
One reason Internet users may not have taken action yet is because they think the websites have taken care of the problem, said Vinny Troia, security expert and founder of Night Lion Security.
"Something a lot of people don't realize is just because a researcher from Google released this information to the public doesn't mean that somebody didn't already know about the breach and take advantage of it," Troia said.
In other words, a patch may be in place, but a hacker may already have your unchanged password and could be using it.
Another reason many people still haven't taken the initiative to change their passwords is because they simply don't believe that a security breach could happen to them, Hadnagy said.
"I can't tell you how many times I've sat across the table from big companies, big clients that say 'That won't happen to us, our people will know better than that.' And they believe that. We call it the ostrich system, because it's just like them putting their head in the sand," he said.
But regardless of the Heartbleed breach, consumers should be changing their passwords to critical accounts every six months to help prevent new security breaches, Siciliano said.
—By CNBC's Cadie Thompson.