Security tokens can grant attackers access to website data without needing a password

https://www.itpro.co.uk/security/33376/wordpress-ios-app-leaked-security-tokens-to-third-parties