Hi Dossy,

Indeed - I think we both agree that it's an education issue.

I can see why you wouldn't want to deauthorise all tokens automatically - but I'd certainly have it as an option. After all, you can't possibly know which site has been used with a compromised password (unless it's the only one you haven't personally authorised).

At any rate - I'd put the option on the same screen as password reset in order to educate users.

Thanks for the comments