Cloudflare has been compromised. It appears that someone has been exploiting a bug in Cloudflare to retrieve data in a manner similar to the heartbleed bug. Odds are, most of these sites have been affected, including other forums such as Omnimaga, so:

CHANGE YOUR PASSWORDS

(Incomplete) list of sites using Cloudflare: https://github.com/pirate/sites-using-cloudflare

Source: https://www.lifehacker.com.au/2017/02/cloudflare-cloudbleed-bug-exposes-sensitive-data-who-is-affected/

Primary sources to better inform yourself:

• Project Zero disclosure
  
• Cloudflare's post-mortem report

---

More like they compromised themselves; this exposure was not caused by any attack targeting them.

There's no evidence this was actively used to exfiltrate secrets (and it was difficult to target), so saying someone was exploiting it is misleading.

This is the most paranoid interpretation, and it's a good security recommendation. Whether it's worth the time and effort is a question nobody can answer for you, but some observations:

• Cloudflare state the bug was at "greatest impact" was from February 13 through 18, affecting 1 in about every 3 million requests.¹ They don't say when the buggy code was first deployed so it's unclear if the vulnerability window extends much further back in time- the paranoid assumption must be that it was in place for a long time.
  
• Exploitation of the bug to read uninitialized memory from cloudflare's middlebox required only making a request that reaches an origin server that responds with malformed HTML. If a malicious party were aware of this bug before it were fixed, they could have quietly exfiltrated data without visibility to anybody but cloudflare. However, they would be unable to target individual sites and would instead receive a random sampling of all traffic passing through cloudflare.
  
• The bug was mitigated on cloudflare's end within 8 hours of it first being reported, about three days before public disclosure. It is not possible that opportunistic attackers could have exfiltrated data without independently discovering the problem (barring the ability to observe private communications between Google and Cloudflare or within either organization).
  
• Many parties (such as search engines) currently hold copies of pages containing samples of uninitialized memory from when the bug was live. (Archived sample from DuckDuckGo.) Many of them will have proactively tried to expunge those samples from their copies (such as Google as reported in the Project Zero report), but others will probably linger for some time. I can't find public numbers about the request volume Cloudflare see on a regular basis so it's hard to judge how many affected pages might have been served. A pessimistic assumption is that every affected page that was served during the time the bug was live will be available for analysis indefinitely as interested individuals and groups track down what they can before it disappears from public caches. Realistically, it will be some fraction of all of them but we don't have enough data to make educated guesses.
  

¹ These wouldn't have been randomly distributed as I observe in the second point. If it were being actively exploited this number is just about meaningless.

---

For my part, I can't be bothered to change a bunch of passwords- in large part because I don't use any of the highest-profile services that are known to be affected, and lower-profile ones I do use (that may be affected but aren't confirmed) are infrequently-used and/or unimportant to me- I have decided the threat is not sufficiently large to warrant that much effort from me.

I am still largely unconvinced of the benefits of Cloudflare's services (consider: if I were, Cemetech and other sites I run or am involved in running would probably be using it), and exposure of these issues raises concerns about the quality of their engineering practice- but I don't want to judge them too harshly, because I'd judge them to be somewhere above the industry mean based on their statements here and this will likely spur them to improve.

For related reading, consider Sven Slootweg's critique of their service's purported benefits, much of which I agree with.

Mostly scaremongering, I believe. The people who really are looking to hack into a website or breach someone's account will always find a way given sufficient time and motivation.

All I know is that when Omnimaga switched to Cloudflare, many members started getting blocked by its anti-spam, even after doing the verification tests. While they could e-mail the admins about the issue, some people usually just don't bother and walk away. Later on, I started having serious problems accessing any Cloudflare site because the CF node located nearby was so bad. To this day I can rarely load Omnimaga or any other Cloudflare site in less than 5 seconds.

If by scaremongering, you mean me overreacting, you are probably right. I still changed all my passwords to randos because I hadn't done that yet.

@Tari I may have overreacted a bit. I have read the official statement, and yes, it appears that, most likely, most things are fine, and it was just a vulnerability. I'm sorry for overreacting to this.