Turn It Off And On Again, Google Says

Google accounts are being compromised by an exploit that allows attackers to use expired session cookies for prolonged unauthorized access, even after password changes. The vulnerability was announced in October by a Russian-language Telegram channel and was soon adopted by various threat actors, including the Lumia criminal group. Google stated that this attack vector is not new and has actions in place to secure compromised accounts. Google suggests that affected users sign out of all browser profiles to invalidate current session tokens.