Comment by aerovistae

Most of these 'Sign in with [Social Identity Provider]' implementations, including Google [1] use OIDC ("OpenID Connect"), which in turn itself is built on top of OAuth 2.0. From the OAuth 2.0 side, the site into which you wish to gain access into -- in this case, StackOverflow -- only sees opaque tokens that are usually short-lived.

However, OIDC then typically delivers some choice personal info -- no more than you agreed to when first consented to the integration, but usually account name and/or email, and maybe real name and some demographic data -- to the requesting service so that they can both find you in their datastore, and sync up these attributes. In the case of a service whose OAuth/OIDC callback url's SSL is terminated with CloudFlare, which we (as of writing) don't yet know if applies to StackOverflow, this info will touch CloudFlare servers and could have been contents of memory that was exposed. However, your password would not be, as in your case, the password was supplied to the Social Identity Provider (Google) who didn't use CloudFlare to terminate that connection, and the password never left Google, which was the precise usecase and requirement that the OAuth/OIDC specs were authored to support.

[1] https://developers.google.com/identity/protocols/OpenIDConne...

You won't need to change your Google password, that's never given to websites as part of Google's OAuth process.

You may want to revoke access at https://myaccount.google.com/permissions and reconnect to SO.

In StackOverflow's case, login happens using Oauth2 by way of accounts.google.com, meaning your google login creds don't go through StackOverflow's servers - Google acts as a trusted 3rd party and verifies that you are who you say you are, and tells StackOverflow.