How would you try and do a DIY forensic analysis from a suspected breach of Hass?

May 17th 1:35:17pm a user named "daddy" is created and given administrator role. This user never even flipped a switch or did any damage I can see, no malware, no cred stealers, no uploads and the username implies someone trolling (maybe a white hat with a sense of humor?)

I noticed June 2 or 3rd when I was looking in history or log book, filtering by target and noticed a person entity named "daddy", blood turned to ice and I dropped it's network interface while scrambling to do damage control.

So far, I've ascertained that the method of auth/creation was the homeassistant auth backend, so not oidc (like I suspected, but the "createNewUser" flag was off).

I went to llms for help figuring and it was brutally painful, not much forensics to grab. So here I am asking the community for advice.

My Hass is deployed as proxmox VM so I have backups of the compromised state. I have a backup from the next day and I have it restored so I can do forensics.

So, fire away guys and gals if your interested in this little rabbit hole.

And "daddy", if you're out there. I hope you're just a funny person and not a scumbag

Forgot to mention the only thing that comes to mind is long lived tokens, which have been rotated on my public instance.

I'm working with llms to try and figure out how to be notified on new user creation and some sort of with log so I can analyze usernames to ips. Which seems partially doable (the new user notification), but I would also like to see when an LLT is used and by which IP...

I'm not a complete dunce, I do what I can with the knowledge I have to secure my instance; cf tunnels, MFA, oidc, crowdsec and intermittent manual digging, so I was very surprised I got smoked by "daddy", this rascal popped my breach cherry!

I really want to understand the failure or method of access.