The process to handle a compromised account (or suspected compromised account) is documented here: SD – Compromised Account (Internal)
In particular, please note that if a customer self-reports a likely compromise, we should do the following:
- Help them immediately change their password
- Notify them that their account may be deactivated anyway to ensure that bad actors are not still using it.
- Report the issue via escalation to IAM.
This process may be revised in the near future, as IAM and OIS are still reviewing it. Let me know if you have questions.
