Unauthorized access to company account: New key created and request sent during off-hours

Today, I logged into the company account and saw that a new key was generated and used to make a request while we were asleep. My team members and I changed our passwords. Is this even possible? None of my team members generated the key or made the request. Who could have done this on our behalf?