What a stolen session token does that a password reset cannot fix
Session and token theft bypass MFA because there is no fresh login to challenge. Here is why it matters and how to contain it.
The reset reflex
The instinct during an account incident is to reset the password. For a stolen session token, that does nothing. The attacker is not logging in. They are replaying an already authenticated session, so MFA is never challenged and the password is irrelevant.
Where this shows up
The pattern repeats across the identity surface. A HAR file uploaded to support carries a live admin session. A consented OAuth app holds an app-only token that authenticates as itself, not as any user. An AWS instance role credential is read from the metadata service and replayed from outside the VPC. In each case the credential is valid, MFA is satisfied or irrelevant, and the user password is beside the point.
Contain the credential, not the login
You have to invalidate the thing actually being used. Revoke the session and force reauthentication. Disable and rotate the service principal or key. For temporary cloud credentials you cannot delete one session, so you deny everything issued before a cutoff time. Then you hunt for the persistence the attacker planted while they had access, because they rarely leave only one way back in.
Rehearse it
Reading this is not the same as doing it at 2am. GraphLattice Range puts you in the seat for these exact incidents and scores the call you make.