Our site was recently infiltrated and the test gateway module activated and enabled to replace the authorize.net payment gateway. Is there anyway I can find out which user may have made this change? A couple roles besides superadmin are able to administer credit card settings at the request of the client but they all show last access dates much older than when the gateways were switched. I have since disabled permissions to admin credit card settings for any user and changed the password to the superuser. Is there anything else I can do?