Right. I was simplifying it by saying it was encrypted, but it’s just an auth token from the service after verifying that the user is authenticated.

And correct. I’m just an idiot and didn’t do research to explain it, even though I’ve used JWT tokens in my applications before. Hahaha. Thanks for the detailed correction!

The decoding algorithm can change, which is exactly what happened, invalidating all previously generated tokens. They cannot be decoded to a password though since they are encrypted, meaning shared passwords wouldn’t be an issue (though you should use a password manager to not have this issue in the first place).

Lol this is not how the hack worked. JWT cookies are encrypted. They don’t contain your password at all. There was no way to reverse engineer from your cookie to your password.