Heartbleed

How does having 2-step-authentication on one's accounts relate to all the heartbleed stuff?

Even with the bug, wouldn't an attacker still have to trigger 2-step-authentication to get into my Google, facebook or dropbox accounts? Or is that compromised too?