Folks, as per @philglass’ observation, in the last couple of hours we’ve taken the step of removing all personal and project API tokens created before we released the security alert. This means you can focus on other efforts as part of your own remediation.
We apologise for the impact this might have in having to recreate tokens, but took this action in the belief that it is in the best interests of our users, minimising risk whilst also reducing the burden on our users having to respond.
We will update the blog in due course.