And enable 2FA if you can. Sure, it's annoying to have to dig out your phone (or browser extension, desktop app, etc.) for a code, but it's better than having your account taken over.
Summit
Community to discuss Summit, a Lemmy reader for Android.
App (Play Store): https://play.google.com/store/apps/details?id=com.idunnololz.summit
APK: https://github.com/idunnololz/summit-for-lemmy/releases
Patreon: https://patreon.com/SummitforLemmy
Ko-Fi: https://ko-fi.com/summitforlemmy
Website: https://summit.idunnololz.com/
I could be wrong but I think the attack circumvents this. As the attacker would receive a users JWT token the 2FA in the login process is moot. Still better to have it enabled in general tho.
All JWT tokens should have been invalidated by the server creators. Those tokens should no longer be usable. It's still possible actions were taken using your account while the server was compromised. See https://lemmy.world/post/1290412
On Liftoff, I found I needed to remove my account and then add it again.
If somehow you cant login back, try manually deleting the cookies from lemmy.world.