Recently we had a breach in one of the administrator accounts where one admin revoked admin rights of another admin account. We tried to investigate the breach but no luck there, since we can only ask other users if they did something which isn’t very helpful.
We had to reset the administrator password and then revoke all admin rights of all administers on the hopes that this would somehow help.
I’m not sure if this is a breach from our side, a bug or a software change but I can’t help but to think how it would be nice to have an audit trail or history on user changes. That would really be useful to investigate such weird occurrences.
I will add this into ideas for now since I know about the case details, however, my concern is not with the administrator accounts but whether there is an escalation of privileges bug or, more importantly, an http request interception since all API implementations that we have use unencrypted basic authentication – which is a little bit frightening especially since we use multiple administrator accounts strictly for API access only.
@lubos, it would be nice to have an audit trail for the user but also this idea could be revisited once again as well: