This is how it happened. We got an email from registered members that they are being spam. Another member was sending them SPAM messages.
The mail sent to them contained the name of the member so we searched for it. We also got the spammer’s account username and link by checking the affected members messages directly under their profile page on the frontend. The spammer has a profile page already. However, the username could not be found in the users section of the backend.
Then we checked users that have not activated their account or received the activation email through a plugin named Unconfirmed.
That was when we found the spammer info meaning the spammer has not activated his/her account yet but is already interacting with the community.
That I cannot explain why it happened. It seems even though the user has not activated his/her account, he/she is already recognized by buddypress.
