Cloudflare is used by over 4 million websites across the Internet, including Medium, YCombinator, Bitpay, Patreon, TransferWise, Coinbase, Authy, Okcupid, Zendesk, Curse network, Discord, among many other big websites. You can download compressed list of all potentially vulnerable websites here.
RiftCat also uses Cloudflare but we received an e-mail from Cloudflare informing us that they didn't find any of our data leaked:
Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches.
The leak isn't RiftCat specific. Any* of the users visiting any of the 4M websites could have seen part of someone's else data in website source. For example, while visiting riftcat.com there was an astronomically small chance of someone's Uber/Fitbit/Okcupid** password being hidden in page source (and the other way around).
Chances of your sensitive data being leaked from the affected sites are very, very small. According to Cloudflare one out of 3 million requests (0.00003%) contained hidden parts of someone's else request. Those hidden parts were probably some sort of generic web traffic because most web traffic is just people browsing pages and not entering their passwords. It was also random and hidden by nature of the problem so it's unlikely that someone could use this as an attack on any of the services listed.
An analogy of this event in real world scenario would be a 0.00003% chance of finding totally random item from someone's else house under your door rug. If you haven't looked under the mat during this unlikely event, it was gone (unless it landed under bot's door rug which is also quite rare)
Most of publicly cached mixed pages are already removed. Cloudflare found 150 page requests publicly available in web caches.
RiftCat data was not found in any of the publicly leaked data.
Nonetheless you might want to change your passwords around the Internet if you want to minimize your chances of being compromised. It's highly recommended that you don't ever use the same password twice. Stay secure.
*It might be limited to users using Cloudflare scrape shield only but it's not confirmed.
** According to TechCrunch they were confirmed as affected. See