Not surprised...
I login with a browser (chrome of Mozilla-based). Oauth, for example. With secondary factor.
I copy the %appdata% and %localappdata% of the browser (or their equivalent unix datastore) to another machine with same OS, more similarity was not needed for my tests.
Login is still valid. And they call that secure, when "just copy some files" is enough.
Does not work every time for every service, but works way too often to be called secure.
Until that is fixed, globally for all somewhat important sites, all extensions have it easy to gain access to where they should not.
We are soooo frigged.