Are they absolutely certain they really were able to change the logged in users identity, or not just the a secondary utility cookie used for a redirect?

Without a more detailed explanation of how they achived this and what they changed at what point, e.g. by having a series of automated cURL calls and command line examples to change the cookie jar to consistently replay this, or a recorded HTTP package trace, it will be difficult to give you any input on how you can "stop this thing".

Hey, Hardik! In the Admin console, admins can view only the information and perform only the tasks that their role's privileges allow. For example, you assign the pre-built User Management role to someone. Then they can view and modify only specific user profile and settings for people who aren’t admins. Before you start. Decide whether you want to assign a pre-built system role or create a custom role. To view the system roles and any existing custom roles in the Admin console: You must be signed in as a super administrator for this task. From the Admin console Home page, go to Admin roles. Then you can change the settings, if it doesn't work, I have no idea what to do.