If they didn't use any hooks and checked the logs that no files has been uploaded - then gvh is safe (not hacked) I think.
What comes to mind is to submit password reset like a real user (automated) and at the same visit cron url - the reason is to simply hide that client database of one of...