While an attacker with access to your Cloudflare account would not gain access to your servers, there are other ways he could do lots of harm. For example, by rerouting your traffic to his own site, he could potentially steal their credentials and any deposits they make during that time.
I was thinking the same thing: if an attacker gained acces to your cloudflare account, he could change your complete DNS records... Usually, you buy a domain at your registrar, and you point the nameserver to cloudflare's nameservers.
Within the cloudflare dns records, you specify the ip of your server...
An attacker can rip the whole site design, host it on his own server, change your ip by his ip in the cloudflare menu, and your visitors would be entering their username/passwords on the attacker's server without ever being able to realise this. So the attacker could do all kinds of harm (like stealing usernames, passwords, redirecting to porn, popups, harvesting emails,...)