This hasn't been made clear in their blog, but I asked an employee in #cloudflare on Freenode, who confirmed that CF API tokens and passwords also may have been affected:
[04:32:00] <rcombs> Benjojo: hey, happen to know if CloudFlare's own auth tokens (like, the ones we use to hit the API) could've been affected by the overflow leak?
[04:32:25] <rcombs> doesn't seem like it from what I've seen, but would like to confirm
[05:46:18] <Benjojo> rcombs: It would be incredibly unlikely, but there is a very small risk those would have been affected
[05:46:44] <rcombs> "incredibly unlikely" meaning "as unlikely as any other data"?
[05:46:52] <Benjojo> Yes
[05:47:09] <rcombs> OK, we'll rotate for good measure
[05:47:54] <rcombs> does that apply to CF website logins as well?
[05:49:00] <Benjojo> Unfortunately, yes
This seems worth noting in the "Notable Sites" section.
This hasn't been made clear in their blog, but I asked an employee in #cloudflare on Freenode, who confirmed that CF API tokens and passwords also may have been affected:
This seems worth noting in the "Notable Sites" section.