Spam DKIM-signed by Cloudflare - was the private key leaked?

I've noticed some spam that Google validates as properly DKIM signed by cloudflare-email.net, s=cf2024-1. There's no header showing such messages passing through a Cloudflare SMTP server. So how were the spammers able to sign it from this domain? Has the signing (private) key been compromised?