i know for sure they they didnt change password or unlink application.
when you say generated 25 tokens, wouldnt the way i store and use tokens avoid this? every single time i get a new token, i store it in the database along with the new refresh token and use that one from now on.