Does an admin account have any permissions to view email addresses or data of registered users?
Did MichelleG not have 2FA enabled?
Now that this has happened, it's be worth pushing this issue through as high priority. If HttpOnly
was enabled, then an admin takeover would not have been possible.
Prior to the JWT secret being rotated, yes, they could have authenticated as you. The tokens are now all invalid and useless