Romellie There is currently no way to invalidate all sessions of a user from within Flarum. We are aware of this shortcoming, but have not yet decided how to move forward with this.
We have this (old) existing issue flarum/core1304 as well as other internal discussions on the subject.
Removing data from access_token will successfully invalidate any API token created by the user as well as prevent the "remember me" feature from working, but all active cookie-based sessions will remain connected.
To invalidate active sessions, you'll need to destroy the associated PHP sessions which contain a user_id key. This is the code loading the session for reference https://github.com/flarum/core/blob/v0.1.0-beta.9/src/Http/Middleware/AuthenticateWithSession.php#L39
You should be able to loop though the sessions and destroy them similar to https://stackoverflow.com/questions/675913/looping-through-all-a-servers-sessions-in-php
In your script, also don't forget to destroy the email_tokens and password_tokens of the user.
While this allows you to get access to the stolen account, you sadly still have no way to end other active sessions of the user from there.
