Currently we create the auto-login cookie using the user_id, and a hash of (a) the per-user network_secret and (b) the password_v4 (which is a hash).
Someone with access to the database or a backup of it could create login cookies for any user.
This is also open to a replay attack.
The main issue here is that we never update the network_secret.
That can be avoided (in case of the stolen DB) or the window can be shortened (replay attack), with some kind of nonce and a new table:
autologin_tok