I changed the password of my VRChat account and was able to log in without having to enter my new credentials.

I expected the login token to be invalidated when I change my password and every active session to end, returning the player to the login interface.

This is important to stop a malicious actor of using an account they gained access to.

I would propose the ability to invalidate logins when the 2FA is added/modified or the password has been altered. This would also include deleting locations the user granted login access to.