A full account takeover is a really shitty backdoor. Just make a separate "test" endpoint that's exactly the same as the main API but requires no authentication so anyone can read anything. Perfectly deniable as just a bug and entirely undetectable from a target's POV.