AshetraceGet assessment
A laptop and phone side by side showing account sign-in screens, the two devices you sign out after a password leak.

Incident Response

How to log out of all devices after a password leak

To log out of all devices after a password leak, open each service's security settings and end every active session, then revoke tokens and rotate keys the same account issued. Signing out everywhere kills the stolen cookies and sessions a password reset leaves alive, because a live session is a separate credential with its own lifetime. SpyCloud recaptured 17.3 billion stolen session cookies from 2024 data.

Key takeaways
  • A password reset does not end an active session; a stolen session cookie is an already-authenticated session that stays valid until it expires or is explicitly revoked (SpyCloud 2025).
  • SpyCloud recaptured 17.3 billion stolen session cookies from 2024 data, the fuel behind session hijacking and MFA bypass (SpyCloud 2025).
  • Infostealers harvest an average of 1,861 session cookies per infection, so one leak can hand over sessions for dozens of accounts at once (SpyCloud 2025).
  • Stolen credentials were the top initial-access vector in 22% of breaches, which makes fast session revocation a breach-prevention control, not housekeeping (Verizon 2025 DBIR).
  • Sign-out-everywhere is not total: a stolen refresh token or persisted malware can survive it, so pair it with device cleanup and key rotation.

Why does signing out everywhere matter after a password leak?

Because the password is rarely the only thing an attacker took. Malware and phishing kits grab live session cookies and tokens too, and those keep an attacker signed in without ever touching the login form. SpyCloud recaptured 17.3 billion stolen session cookies from 2024 data (SpyCloud 2025). Reset the password and the session still works.

A session cookie represents an already-authenticated browser. Replaying it skips the password prompt and the MFA challenge, so it walks straight past the control most teams trust to save them. That is why sign out of all devices is a distinct action from change password: one rotates a secret, the other invalidates the tokens issued from it.

The scale makes this routine, not rare. Infostealers pull an average of 1,861 cookies per infection (SpyCloud 2025), and stolen credentials led as the initial-access vector in 22% of breaches (Verizon 2025 DBIR). If an account of yours leaked, assume its live sessions leaked with it and end them.

17.3BStolen session cookies recaptured from 2024 data (SpyCloud)
1,861Cookies harvested per infostealer infection, on average (SpyCloud)
22%Of breaches used stolen credentials as the top entry vector (Verizon DBIR)

The steps below cover the platforms most teams care about first. Each service will also get its own deep-dive page as this series grows, but this is the fast field checklist for the hour after a leak.

Sign out of all Google sessions

Google has no single sign-out-everywhere button. You remove devices one at a time, and the definitive way to invalidate everything is to change the account password (Google Account Help).

  • Open your Google Account at myaccount.google.com and select Security.
  • Under Your devices, select Manage all devices.
  • Select a device you do not recognize, then choose Sign out. Repeat for each session.
  • Change your account password to force-invalidate remaining sessions across devices.

Revoke sessions in Microsoft 365 and Entra ID

For a Microsoft 365 or Entra ID account, an admin revokes the user's sessions from the Entra admin center, which resets the refresh tokens and browser session cookies (Microsoft Learn). Already-issued access tokens still stand until they expire.

  • Sign in to the Microsoft Entra admin center and go to Identity, then Users, then All users.
  • Select the affected user to open their overview.
  • Choose Revoke sessions to invalidate refresh tokens and session cookies.
  • Set Block sign-in to Yes to stop new interactive sign-ins while you investigate.

Mind the gap: without Continuous Access Evaluation, an existing access token can stay valid up to its lifetime (default about one hour) after you revoke (Microsoft Learn). Blocking sign-in closes the door on the next token request while the current one ages out.

What a password reset leaves behind
Password: invalidated by a reset GONE Session cookies: survive until sessions revoked ALIVE Refresh tokens: survive until explicitly revoked ALIVE API keys and tokens: survive until rotated ALIVE
A reset rotates one secret; sign-out-everywhere and token revocation close the rest. Illustrative of the credential types in a single stealer log.

Log out of all Instagram devices

SpyCloud recaptured 17.3 billion stolen cookies in 2024, so signing out everywhere is not optional (SpyCloud). Instagram routes session control through the Accounts Center rather than a numbered help page, and there is no one-tap log-out-of-all. The reliable full purge is to change your password and select the option to log out of other devices when prompted (Instagram Help Center).

  • Tap your profile, then the menu, then Settings and activity.
  • Open Accounts Center, then Password and security.
  • Tap Where you're logged in and review each active session.
  • Log out of any device you do not recognize, then change your password and choose to log out of other devices.

Log out of all Facebook sessions

Facebook does give you an explicit log-out-of-all action, unlike Google or Instagram. You find it under Password and security, in the Where you're logged in panel (Facebook Help Center).

  • Go to Settings and privacy, then Settings.
  • Open Password and security.
  • Under Where you're logged in, click See more.
  • Click Log out of all sessions, or select individual sessions and log them out.

How do you revoke GitHub sessions, tokens and keys?

Stolen credentials led 22% of breaches, and developer tokens are prime targets (Verizon 2025 DBIR). On GitHub, revoking a web session is only part of the job. Personal access tokens, authorized OAuth apps and SSH keys are independent access paths that a session revoke does not touch, so a leaked account needs all four handled (GitHub Docs).

  • Sessions: Settings, then Sessions in the Access section, then Revoke session for any web or GitHub Mobile session you do not recognize.
  • OAuth apps: Settings, then Applications, then the Authorized OAuth Apps tab, then Revoke for each app you no longer trust.
  • Personal access tokens: Settings, then Developer settings, then Personal access tokens, then Delete every unrecognized token.
  • SSH keys: Settings, then SSH and GPG keys, then Delete any key you did not add.

Treat tokens and keys as the real prize on a developer account. A revoked browser session means little if a leaked personal access token still has repo scope, so rotate all three alongside the session revoke (GitHub Docs).

Sign out of all other Slack sessions

In Slack, a user can end every other session from account settings on web or desktop; the option is not in the mobile app (Slack Help Center). For an SSO workspace, an admin can force everyone to re-authenticate.

  • Open your Slack Account settings on web or desktop.
  • Scroll to Sign out all other sessions.
  • Click Sign out all other sessions, then confirm with your password.
  • For an SSO org, an admin uses Reset all single sign-on sessions in the workspace authentication settings.

Rotate and revoke AWS access keys and role sessions

Verizon found 46% of systems holding corporate logins were unmanaged, widening cloud-key exposure (Verizon 2025 DBIR). AWS handling depends on the credential type. A leaked IAM access key cannot be session-revoked; you deactivate it, then delete it. Active role sessions are cut off by attaching the AWSRevokeOlderSessions policy from the role's Revoke sessions tab (AWS IAM User Guide).

  • Access keys: IAM console, then Users, then the user, then the Security credentials tab.
  • Under Access keys, choose Actions, then Deactivate to stop the key immediately, then Delete once nothing depends on it.
  • Role sessions: IAM console, then Roles, then the affected role, then the Revoke sessions tab, then Revoke active sessions.
  • Confirm the AWSRevokeOlderSessions inline policy is attached, which denies credentials issued before the revoke time.

One nuance worth knowing: the revoke policy denies sessions assumed before the cutoff plus roughly a 30-second buffer, using a condition on aws:TokenIssueTime (AWS IAM User Guide). Sessions assumed after that point are unaffected, which is why you deactivate the leaked key first.

Why can sign-out-everywhere still miss an attacker?

Because two things can outlive it: a stolen refresh token and the malware itself. A refresh token can mint fresh access tokens until it is explicitly revoked, and infostealers harvest an average of 1,861 cookies per infection, so the leak that started this rarely stops at one account (SpyCloud 2025).

If persisted malware is still on the device, it simply re-steals the new session the moment the user signs back in. That is why sign-out-everywhere pairs with device cleanup: eradicate the malware first, then revoke sessions, rotate credentials and revoke tokens, in that order. Skip the cleanup and you are resetting into an attacker's open channel (Verizon 2025 DBIR).

The hard part is knowing which accounts actually leaked, so you revoke the right sessions instead of guessing. Ashetrace scopes that for you from the criminal supply of stealer logs: verify a corporate domain and get a list of the exposed identities, without handing over any passwords, cookies or tokens. Sign-out-everywhere works best when you know exactly where to point it.

Frequently asked

Does changing my password log me out of all devices?

Not always. On some services a password change ends other sessions, but on many it does not touch live session cookies or refresh tokens. SpyCloud recaptured 17.3 billion stolen cookies from 2024 data, and each stays valid until the session is explicitly revoked, so sign out everywhere too.

Why does signing out everywhere matter after a leak?

A stolen session cookie is an already-authenticated session that skips the password and MFA prompt. Verizon's 2025 DBIR found stolen credentials were the top initial-access vector in 22% of breaches, so ending live sessions removes access a reset alone would leave open to the attacker.

Can an attacker stay in after I sign out of all devices?

Yes, in two cases. A stolen refresh token can mint new access tokens until revoked, and persisted malware re-steals the session when the user signs back in. Infostealers grab an average of 1,861 cookies per infection (SpyCloud 2025), so clean the device before revoking.

What is the difference between revoking a session and rotating a key?

Revoking a session invalidates a token issued from a login, like a browser cookie. Rotating a key replaces a standing credential such as an AWS access key or a GitHub token. A leaked account often needs both, since AWS access keys cannot be session-revoked and must be deactivated then deleted.

Which services have a true sign-out-of-all button?

Facebook and Slack offer an explicit log-out-of-all-sessions action. Google and Instagram do not; there you remove devices individually and change the password to force the rest out. GitHub revokes each session, plus tokens, OAuth apps and SSH keys separately, per its official docs.

Sources
  1. SpyCloud, 2025 Annual Identity Exposure Report (2025)
  2. Verizon, 2025 Data Breach Investigations Report (DBIR) (2025)
  3. Google, See devices with account access
  4. Microsoft, Revoke user access in an emergency in Microsoft Entra ID (2025)
  5. Meta (Instagram), Instagram Help Center
  6. Meta (Facebook), Log out of Facebook on another device
  7. GitHub, Viewing and managing your sessions
  8. GitHub, Managing your personal access tokens
  9. Slack, Sign out of Slack
  10. Amazon Web Services, Revoke IAM role temporary security credentials
Share

Start here

See what is still exposed in your environment

Verify a corporate domain and get a scoped exposure assessment. No passwords, cookies or tokens handed over.

Request an exposure assessment