Cloudbleed: is it actually important to change ALL passwords?

While Miao is right for the case of passwords, this vulnerability also makes oauth tokens compromised. If a Cloudflare-dependent site uses Oauth, you should make an extra step resetting your oauth dependent sessions across the web.

There is no reason to change any other password. The only scenario I can think of where it may be required is the following:

An attacker learns a password to your mail service. Then, he/she uses the compromised mail service to reset a password of a non CloudFlare service.

Since I couldn't find a mail service that depends on CloudFlare so this scenario is not likely at all, I am certain this is a panic response.

I honestly do not think that people are as badly affected as some may try to make you believe. The probability that exactly your accounts are affected is near zero.

To be affected, several things must have happened at the same time:

1. You were surfing on one of the affected sites.
2. An attacker was at the same time trying to gather private data by issuing as much erroneous requests as his connection and cloudflare allows him to do
3. The attacker landet on the same reverse proxy instances that your requests were previously served by

All three things must have happened at pretty much the same time. At point 2., the attacker may have gathered private data from some users, but the likelihood that you were one of them is pretty low.

The reason why it must have happened at the same time is quite simple. The proxy instances don't have unlimited memory and thus the memory gets reused very often. So even if the proxy memory contained some sensitive data from your request, one of the following requests of other users would have overwritten this data due to reuse of the same memory.

I would assume that the proxy instance you and the attacker were using at this time were also dependent on your and the attackers geographic location. I never hosted anything with the help of cloudflare and never studied how their load balancing works, but I'd assume they always try to give you a proxy instance that gives best performance for the particular geographic location. Based on that assumption, I'd guess the attackers were limited to the proxies in the same location.

Also, as only a few requests would have contained your passwords (only the login requests maybe), most leaked sensitive data would only have included session tokens and stuff like that. So the likelihood of your passwords being leaked drops even more.

Next point: As of now, it is assumed cloudbleed was not exploited before the hole was discovered and closed. It is assumed that the leaked data mostly resides in search engine caches (and probably everything else in the internet that does caching). But the number of requests with leaked data these search engines did is pretty low compared to the requests needed by an attacker to gain enough sensitive data and actually get YOUR data.