If information is complete, attackers gained access to active user sessions by leaking cookies via script injection, access would have been terminated when the cookies were invalidated. They likely did not have access to your password (changing it never hurts though).