It is a classic supply-chain attack. The same modality is used by gamers to sell off their high-level characters, and social media accounts do "switcheroos" on posts, Pages, and Groups all the time.

You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.

If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.