Email compromised, hacker still has access despite changing pw and enabling 2FA
On Sunday, I discovered that someone had password-guessed their way into my dad's Comcast email (my email is on the same subscriber id), added themselves as Primary User and locked both him and me out of our accounts. After two hours on the phone with customer service, I managed to get back in, changed all the passwords, enabled Xfinity Authenticator, etc.
Today, I found out that not only does the hacker still have access to my email, but that changing the password does /not/ automatically deauthenticate existing sessions (webmail or desktop client), nor does enabling 2FA, and there is no button anywhere in account settings to forcibly log out all sessions. Meanwhile, the hacker has been taunting me on Reddit saying I have "bad opsec" (not entirely untrue...) and how he's going to continue doing it until I "willingly" hand over my Roblox items (all this over a game I haven't touched in years?!). The proof I have that they still have access to my Comcast email, is that they've successfully, repeatedly, changed my Roblox account credentials and associated email due to the fact that the "account creation email" (my Comcast email) is permanently registered.
I don't care about the Roblox thing (honestly I might just delete the account out of spite), but what I need to know is this: How do they still have access to my Comcast email accounts, in spite of changing the password and adding the Xfinity Authenticator, which /should/ have automatically invalidated all existing session cookies? And more importantly, how do I keep them from regaining access to mine AND my father's Comcast accounts to do worse damage? I've already reassigned the Primary User of our Xfinity Service to a brand new Gmail (along with registering it in Authenticator), and de-Managered dad's account, so they can't lock us out again...
(Minor side tangent-rant: 16 character limit on passwords, Xfinity? Seriously? Even if my dad wasn't bad at making passwords...)