Comment by rdl

I think I've settled on "change admin passwords, change any m2m auth credentials which don't require user intervention (API keys in apps, etc. should be rolled regularly anyway)"

Forcing individual end users to change their passwords is probably a net-negative. I might prioritize it if I have OTHER security improvements to roll out soon, though (2FA, upgrading auth infrastructure, other potential compromise, etc.).

I don't think anything else is really viable.

Bitcoin addresses/keys which transited Cloudflare probably should be updated, though, on the extremely off chance.