"Uh, should I do something about this?!?!"
Does the leak affect you? Check this list of the 4,287,625 possibly affected web domains.
You can also use this website, called Does It Use Cloudflare?.
It might be easier to change all of your passwords as a precaution. You can *never* take your online security too seriously.
Change your passwords, and make them strong.
Lackey suggests using a password manager like 1Password (which uses Cloudflare, but was not compromised) or LastPass to create a long random string for every online account.
Make sure you have two-factor authentication enabled everywhere.
Two-factor authentication requires a code sent to your mobile phone, in addition to your password. Here's a comprehensive list of websites that have two-factor, with links to how to turn it on for every site.
It's possible that backup codes for two-factor authentication enabled within the past few months were leaked, so disable and re-enable the feature if you've turned it on recently and generate new backup codes.
While you’re at it, add a PIN to your phone number account.
Hackers can bypass two-factor authentication by providing your name and last four digits of your social security number to your mobile carrier. It’s easy to add an extra layer of security to your phone number, and here’s how to do it.
And if you are a website admin using Cloudflare on a domain, consider forcing a password change for users.
Lackey wrote, "For any sites processing highly sensitive information through Cloudflare, the lack of a quantifiable maximum exposure probably means it is worth forcing a password update [on] any sites processing."
Larger sites, who most likely have users who use Cloudflare-hosted sites, should also consider prompting password changes in case users have reused the same password.