And even then, no guarantee. One could host a static shopwindow site on his own, and use CF for the actual backend of a mobile app under a different domain that nobody knows about.
There is no real way to know what has leaked and from whom. The only ones with real info are CF and it's clear from the amount of sites they've missed in their purge-requests that even them don't really know.
Honest question...
Out of hundreds of passwords I potentially need to reset, I'd like to prioritize.