🅿🆄🅽🅲🅷 🅴🅽🅴🆁🅶🆈
oh i see, they want to delete the secret instead of the active tokens. Yeah now i get what you mean. Seems kinda odd.
…that’s what i just said? https://lemmy.dbzer0.com/comment/793036
afaik to generate those tokens, you configure a secret in an enviroment variable. You cannot generate tokens from looking at valid tokens within the database. Thus storing active tokens in the database is fine since you can always purge all active tokens as this post has also suggested.
How did the hackers get the cookies in the first place? Compromised devices on the clients?
Thank you for the detailed explanation :)