I’m no fan of Cloudflare, but did you read the article?

As part of our Application Security offering, we offer a free feature that checks if a password has been leaked in a known data breach of another service or application on the Internet. When we perform these checks, Cloudflare does not access or store plaintext end user passwords.

They then go on to say they hash them and compare the hash to a db.

It’s an interesting read