I am wondering if a client did something it shouldn't have done. I'll give them benefit of the doubt for now and think maybe it was an accident that they had this happen, testing something and hopefully forgot to remove it from a dev environment before going to prod.
Discussion
could be cross site scripting attack as well, no? maybe the plugin needs a policy about signing profile updates requiring confirmation always?
This is actually a good idea. I don't want to have to authorize every single like or post. I'd be okay having kind 0 events be double confirmation.