So they have access to login to customer accounts as customer? That is super sus! How many admin accounts were there? Do they have emails?
As a previous employee with admin access, I can explain a bit how this feature worked.
First of all, there were different roles. Not everyone working there was an admin. I had that access but there were different levels. The support staff had stricter permissions. Country managers had about the same as support but limited to the countries they were active in, etc.
This feature didn't provide the user's password but allowed the staff member to login "as" the given user. You searched an user then clicked a "Login as" button which opened the customer portal connected as that account.
It was not used for anything bad. (Also, it's important to note that every action done at Epik, by a staff or customer was logged - even when using that feature, so it's easy to see if someone does something wrong)
Are you able to see from the code how that expiration date is generated? Probably some API connected to registry? Is there a way to overwrite that date from admin, change it to show another date?
There is the registry expiration date and the registrar expiration date.
The registrar expiration date in the case of Epik was pulled from the main database, it's not directly connected to the registry however it usually matches the registry date. (when everything works fine)
From the admin, as far as I know, it wasn't possible to change that date; However a few tech staff had access to the database directly and could edit it there. (I doubt they took the time to do that though, there were more important tasks)
What probably happened is that they ran out of funds at the registry for your renewals, the system created an error log in the system (so that an admin can review it & fix it later/when possible)
-- This system is also useful when a registry goes down for instance, so that the renewal, registration, transfer, change, .. tasks can be restarted later
In the case of a failed renewal the expiration date on Epik's side could have been updated but not on the registry's side (If I remember it was updated directly on Epik's side because when you did a renew, the date was updated instantly in the customer portal but the EPP request could be queued and so the date at the registry could be updated a few minutes later)