A MITM attack of a VPN allows attackers to collect unencrypted traffic.
Most people access email over a webmail interface, like gmail, that uses modern TLS encryption. All that's sent unencrypted is the SNI header, e.g. "mail.google.com", and roughly how much traffic total is transferred, e.g. "20 MB of browsing on mail.google.com".
A VPN can't easily defeat TLS. It would require the user to ignore many scary warnings from the browser.
You're still right that a user should change their passwords for any websites that do not use TLS (very few these days), or for any that use old versions of TLS if their threat model includes someone with close to nation-state resources attacking their connections individually.
It also probably doesn't hurt to be paranoid and rotate anyway, but it should be with a proper understanding of the threats, not because of some ridiculous "the sky is falling" incorrect information like this.
Everyone is discounting one thing - State actor possibility behind this attack.
With state actor comes completely different ball game - totally different budget and capabilities to crack things. NOBODY knows what their unpublicized capabilities could be! So it is good practice to stay vigilant!
Most people access email over a webmail interface, like gmail, that uses modern TLS encryption. All that's sent unencrypted is the SNI header, e.g. "mail.google.com", and roughly how much traffic total is transferred, e.g. "20 MB of browsing on mail.google.com".
A VPN can't easily defeat TLS. It would require the user to ignore many scary warnings from the browser.
You're still right that a user should change their passwords for any websites that do not use TLS (very few these days), or for any that use old versions of TLS if their threat model includes someone with close to nation-state resources attacking their connections individually.
It also probably doesn't hurt to be paranoid and rotate anyway, but it should be with a proper understanding of the threats, not because of some ridiculous "the sky is falling" incorrect information like this.