[Adverblessly]

I've hacked into your account and changed your password. Should all your cookies mean nothing for when you try to regain access to your account? Similarly, should knowledge if your old password contribute nothing towards allowing you back into your account?

Which is more trustworthy, the same device/cookie I've seen logged into the account for the last <duration of retention period>, or some new one that just reset the password?

I won't pretend to understand Google's mechanisms or intentions, nor the workings of this exploit, but surely it is more complicated then simply invalidating all prior info upon password rotation?