Did the users have 2FA enabled? If it was an nsec leak, is that still account protection against settings being changed?