There are two ways a domain can be "hijacked" on Cloudflare, both of which are due to not following best practices.
We recommend using a strong unique password (or password manager) and enabling two factor authentication to mitigate the possibility of account compromise. If you believe you've been compromised please contact support.
Pointing to Cloudflare name servers without signing up the domain first
We never recommend you point to Cloudflare name servers at your registrar or delegate to our name servers without having your domain signed up in your account first. Anyone can sign up domains to Cloudflare and when you point to Cloudflare name servers without claiming the site first, you are effectively opening up DNS control to whomever signs up the domain first on our platform.
The fix here is to sign up the site in your Cloudflare account first and then point to only your Cloudflare assigned name servers after.