The rough impression I get is that a concern here is cached stashes of this leaked data on accessible platforms like search engines. While, for instance, Google has already begun purging cached data containing user-data acquired while spidering the affected sites, what about, shall we say, less reputable search engines, like Baidu?
Once the data is out, it’s out.
It’s still a relatively small leak compared to others we’ve seen in recent years, and the odds of leaked data actually being useful to anyone like a password or even session cookie isn’t high. But it isn’t zero either.
On well written web software the sessions change every 10 minutes or so, thus a session cookie more than 10 minutes old wouldn’t be vulnerable.
It does depend on the software.
(And I am ashamed to admit, because of a … let’s call it … miscommunication in Discourse versions 1.0 through 1.7 a session token could be effectively permanent if the user was hitting the site once every 60 days.)
OH SWEET JESUS NO
The fire-engine red backdrop really sells it.