It wasn’t really a hoax. It was a legitimate problem. Lots of software could have broke. It didn’t because developers were diligent. There was a long leadtime to New Year’s with lots of people working overtime.

Basically it is what is generated when you log in. Think of it as being related to your user name and password but not I’m a way that exposes it. Rotating the secret causes all of these JWT tokens to no longer be valid.

Think of it a bit like this: you are a spy and were told a code word to authenticate your identity. While you were away, that code word is changed, so you no longer have an easy way to validate your identity. You must now start again from scratch.