AWS's ELB (which we use) were vulnerable, we'll be replacing certificates ASAP. We (and most the rest of the internet using ELB) seem to be in the clear now:

    ./heartbleeder zapier.com
    SECURE - zapier.com:443 has the heartbeat extension enabled, but timed out after a malformed heartbeat (this likely means that it is not vulnerable)

When did you run your check? Do you have a recent binary of heartbleeder?