we were attacked a few weeks ago. all of our users were sent emails about their passwords getting reset. along with all our admins. i looked like someone created an account on our site and then somehow gained admin access to reset every password. how is this possible and what can we do to stop this. thankfully we are not live and all users are test or the creators.
Scan you site for malware and make sure all software is up to date. You should remove the account that was added, change your password, and change your API key. Have each of the members of the account change their passwords and use 2FA along with a password manager.