Figure that the password was compromised somehow and someone is sending spam from another location.

Changed the password and setup two-factor authentication.  Unfortunately it seems like the emails are still being sent which I'm guessing is from another computer in a different location.  Even the email headers seem to have IP's in different countries.

How can I ensure that all of the sessions that were logged in before have been invalidated requiring them to use the new password and token?

I don't see any options on seeing the list of logged in sessions, IPs, or ability to invalidate them all.

Thanks.