[bitskits]

What attack vector does changing your password help with? Are you concerned they could have recovered the account password via the Oauth scope?

[askvictor]

The greater issue is the passwords of other accounts, which could now be 'recovered' as the attacker has your access to your email

[bitskits]

Yes, I agree, although revoking the scope should remove the access (and I assume Google did that for everyone already).

[motti]

Changing your password is the fastest way to ensure all authed sessions on any device is logged out. Google offers a "log out of any sessions" button somewhere in account settings, but most other services don't.

If your email account is compromised, any service that do password resets via email confirmation, are potentially compromised by whoever has access to your email via OAuth.

[bitskits]

I'm pretty sure that changing your password does NOT revoke your oauth scopes, which was the attack vector here.