Account compromise is one of the most common security incidents support teams handle, and one of the most frequently mishandled. The typical response — reset the password, tell the user to be more careful — misses most of the actual problem. By the time you're resetting a password, an attacker may have already changed recovery options, added authorized devices, exfiltrated data, or created backdoor access paths.
Here's the complete response procedure.
Recognizing the Signals
Compromise indicators range from obvious to subtle:
- User-reported: "I got a notification about a login I didn't make" or "I'm locked out of my account"
- Automated alert: Login from an unusual geographic location or device, MFA bypass attempt
- Observed behavior: Outbound emails the user didn't send, calendar invites to unknown parties, unfamiliar apps with granted permissions
- Silent indicators: Recent password reset the user didn't initiate, new recovery email or phone added to the account
Any of these alone warrants investigation. Multiple signals together mean you treat it as confirmed until proven otherwise.
Step 1: Cut Access Immediately
Your first action is forcing a global session termination. Most identity platforms expose this as "sign out of all sessions" or "revoke all active tokens." Do this before changing the password — if an attacker has an active session, they may receive the password reset email before the user does if you change the password first without invalidating existing sessions.
The sequence matters:
- Revoke all active sessions
- Change the password (or force a reset to a temporary credential)
- Review and remove any unrecognized MFA devices or recovery methods
- Then begin investigation
Step 2: Audit What the Attacker Could See and Do
Once you've cut access, review the account's activity history for the window of compromise. Specifically:
- Email/messages: Were any sent? Were any read or deleted? Was forwarding configured to an external address?
- File access: For accounts with cloud storage access, were any files downloaded, shared, or deleted?
- Third-party apps: Were any new applications authorized during the compromise window? OAuth-authorized apps retain access even after a password change unless explicitly revoked.
- Account changes: New recovery email, new phone number, new trusted devices — any of these added during the compromise window are attacker-controlled and must be removed.
The scope of the damage assessment drives the scope of the notification requirements. If the account had access to customer data and there's evidence of access during the compromise, that's not just a support ticket — it's a potential breach.
Step 3: Reconfigure Security Settings
After cutting access and completing the audit, harden the account against repeat compromise:
- Enforce MFA using an authenticator app (not SMS if possible — SIM swapping is a real threat)
- Remove any recovery options added during the compromise window
- Review and revoke all third-party app authorizations, especially any added recently
- Check for email forwarding rules and auto-forward configurations
- Review delegated access settings if applicable (shared mailboxes, calendar delegation)
Step 4: Communicate With the User
The user needs to understand what happened without being made to feel blamed. Cover three things:
- What occurred: A concise explanation of what the attacker likely did during the compromise window
- What you've done: The immediate actions taken to revoke access and secure the account
- What they need to do: Any remaining actions on their side — confirming their new credentials, checking for suspicious activity in their other accounts, reviewing sent mail
Ask them directly whether they received any suspicious emails before the incident, clicked on any unusual links, or entered credentials anywhere recently. The root cause (phishing, credential stuffing, reused password from a breached service) determines whether other accounts or systems are at risk.
Step 5: Checklist Before Closing the Ticket
| Action | Done? |
|---|---|
| All active sessions revoked | ☐ |
| Password reset | ☐ |
| Unrecognized MFA methods removed | ☐ |
| Recovery options verified/cleaned | ☐ |
| Third-party OAuth apps reviewed | ☐ |
| Email forwarding rules checked | ☐ |
| Activity log reviewed for data access | ☐ |
| User notified and debriefed | ☐ |
| Root cause identified | ☐ |
| Incident documented | ☐ |
Closing a compromised account ticket without working through this list means you probably left something open. The ten minutes it takes to run through these checks is worth it every time.