Non member of group can push code

I’ve got a private group on hosted Gitlab and I’m working some some subcontractors. They brought on a new dev and she signed up for gitlab, but I never gave her access to anything. She’s able to push code to the repos in that group however. I’m wondering how this is possible? The only thing I can imagine is that they could have shared their SSH key, but I have no way of knowing if that’s true. Is there any other way this could be happening? Is there somewhere I can look to understand the authentication mechanism being used?

Looks like one of the other devs gave her direct access to the repo (not through the group) since I had to make them masters to be able to import from github.