(no title)

Potentially, yes. Not just HTTPS, but those are obviously the more worrying cases.

It's not possible to know the totality of information that has been leaked, though efforts are being made to try and list affected / potentially affected sites.[1]

My advice would be: For any sites you're worried about (ie hosted on CF and you have an account), log out of all sessions on all devices, and reset your password. Don't share passwords between sites either; if you're using 1password now, you can use unique & complex passwords for everything.

[1] eg https://github.com/pirate/sites-using-cloudflare