The private key could have been stolen any time during that the heartbleed vulnerability has been present on the server (~2 years).
This would allow for a MITM attack which would obtain user credentials and unauthorized access to a server.
Since the attack isn't recorded it's unknown if it was used extensively before it was made public. The time between announcement and patching was likely significant enough for the potential of someone stealing the private key during that period as well.
This is also why re-using the same private key for the new certificate is a bad idea.
Think about the wide variety of sites that would use a free SSL certificate that might not have the funds for revocation. Almost every site I've ever seen has had people try to hack it.
There is a fairly decent chance that a very small site would not have someone steal it's private key, but it's hard to make that assumption, that's why every site about Heartbleed suggests revocation of the old certificates.
Why not just regenerate a key and get a new cert?
Why revoke the old one if all your services will just reject it? I mean, you can do it just to be sure you don't make a mistake. But beyond this why?
Because the BROWSER is what's being attacked in a MiTM. To the server it just looks like a regular client connecting. It never sees the certificate the client saw. There is nothing for the server to reject.
1. Attacker steals the private key via heartbleed or other means
2. Attacker sets up their own server using the stolen private key
3. Attacker tricks a user into accessing their server rather than the real server via any of a number of methods, such as a compromised hotspot.
4. User provides their sensitive information to the attacker, thinking they're on the real site.
No server-side action can mitigate the risk of a stolen private key in the above scenario, since the user never communicates with the legitimate server. That said, most browsers ship with certificate revocation lists disabled by default, so revoking the certificate doesn't help nearly as many people as we'd like. But for people who do enable CRLs, they'll see the scary warning rather than their browser trusting the revoked cert.
This would allow for a MITM attack which would obtain user credentials and unauthorized access to a server.
Since the attack isn't recorded it's unknown if it was used extensively before it was made public. The time between announcement and patching was likely significant enough for the potential of someone stealing the private key during that period as well.
This is also why re-using the same private key for the new certificate is a bad idea.
Think about the wide variety of sites that would use a free SSL certificate that might not have the funds for revocation. Almost every site I've ever seen has had people try to hack it.
There is a fairly decent chance that a very small site would not have someone steal it's private key, but it's hard to make that assumption, that's why every site about Heartbleed suggests revocation of the old certificates.