Trolling user has no associated user info

Recently we had a troll posting a very racist card on my social media app. When investigating, we found that this user did not create an account, or if they had done so, they had somehow managed to clear their email from the database. What security can I put into place to make sure an outside user cannot create a card or access the database unless logged in?

Basic privacy settings and WF rules. Seems like something fundamentally is broken.