This has happened twice. One in December, and now once at the end of January.
An adult leader unaffiliated with the troop is being added as a duplicate Chartered Org Rep and Troop Admin, and therefore given full control access to all of our scouts.
Both times it was the same person.
Details that might be relevant:
She is registered as a leader for the Pack affiliated with our same chartered org.
She has a hyphen in her name.
She does not appear in the troop roster in any way on my.scouting.org.
She is configured as a Key 3 Delegate in the Pack on my.scouting.org, but with an expiration date in the past.
Workaround: Set end dates on her unit roles, unapprove her, and delete all connections with all scouts in the troop.
I consider this a severe privacy issue, and a potential source of data corruption. This forces me to check daily if illegitimate adult leaders have been added overnight so that I can remove them before private information is exposed further.