It appears there has been something that was hacked in my system a few minutes ago. I noticed an order came through as "Approved" in my system but it showed payment method as "test". Upon further review the order there was some funny stuff going on:
Payment information
MethodTestPaypal modetestOrder statusPendingTransaction IDXXXX11D589XXXXPayment processor responseAccepted, awaiting ipn for processing (FeeAmount: 1.95, TaxAmount: 0.00, TransactionType: cart, PaymentType: instant)Protection eligibilityEligible
The transaction ID could not be found in my PayPal account.
So I did a test checkout and I had no option to proceed to normal checkout other than to continue with PayPal (instead of my normal checkout steps). When I clicked on the link it took me to PayPal's sandbox page. That's when I went in and notice there was the "test" as a payment option. I instantly disabled it and changed my passwords and all appears to be working now. EZ admin helper doesn't show any security intrusions so it may have just been a password was hacked.
The "test" transaction is not a test at all. It is using PayPal Express to create a live outside credit card transaction. I have some random username,password and signature in the settings. Posting this to know if there is anything else I should look out for or that should be changed.