@nekofag The leak was dumped from Admin API. Therefore, the attacker obtained an OAuth token for an admin user. How did they do that? Regardless, shutting down admin API will minimize the attack surface. Long term the right thing to do is to whitelist certain IPs to access it.