Well stuff on a brick.
Ok, so they have access to our accounts. But they can't make changes because they don't have our passwords, just our session.
So then the mystery thickens because now we have to answer why they were targeting users of a certain age (some made sense, they were inactive and wouldn't be noticed at first) but now it seems more accounts are being compromised once we discovered the issue.
So then why advertise Bloxcity? Who in their right mind is going to take away from all of this "you know what, that hijacker was right, we should play bloxcity instead of blockland. Thanks hijacker!"