@dangoodin @troyhunt @cR0w @Viss @matthew_d_green
(Bear with me on the long reply, trying to cover all bases here)
I don't think the "leaked credentials detention" product is a red flag per say, Maybe the automatic enablement of it is a can of worms, reason being is that people do not typically think that their web proxy is going to snoop their users credentials, even if it is not storing the full outputs of that snooping.
There is probably bigger set of discussions that should be made about the data source of these leaked credentials, given they are inevitably sourced actual data breaches of other people's stuff! Though this is basically the commercial exploitation of stolen user data, it is probably for the greater good to use such leaks (however dubiously obtained) to detect leaked credentials in the future, but idk!
The thing I really wanted to point out in the original post on my side was that it seems relatively unsettling for a company to be very confidently showing off data outputs that have been derived from non explicit consensual snooping of passwords. A lot of replies suggested they could be storing data, but they are almost certainly not storing the passwords themselves (because any breach of that would probably be a company ending event), but CF's demo of the metrics (given how they were obtained) shows a level of hubris which is perhaps a little alarming.
A lot of replies suggest this is a GDPR problem, I am not a legal guy but I don't think any of this is a GDPR problem, but there is a somewhat obvious question in 2025 (to someone in Europe that is) of an american company snooping the user submitted data of your requests that likely has other PII in it to provide a WAF/etc, but none of this is new to cloudflare.
Ultimately the websites impacted by default are the ones who don't pay cloudflare anything, there may be a lesser amount of care because of that, but there are probably limits to what kind of stuff people are willing to swallow. Password snooping without explicit consent seems (to me) to get very close to that line, but I am just 1 guy.
It's worth stepping back a bit and acknowledging that there is a reason that people use cloudflare. It's because the product is actually kind of good, it's solves a bunch of problems of people in a cheap and reasonable way. I don't think there's any foul play going on the widespread adoption of cloudflare, it's more that people will choose what is convenient, and cloudflare is mighty convenient. I wish for better alternatives like many others, but right now some of the alternatives are worse either technically or ethically.