When you suspect a compromised user account, which steps should you take?

When you suspect a compromised account, the priority is containment and rapid remediation to stop unauthorized access and protect the environment. Revoke the stolen credentials and require a password reset, then rotate tokens and end any active sessions so the attacker can’t reuse existing access. Investigate for lateral movement to see if other accounts or systems were affected and to understand the attacker’s path. Notify stakeholders to coordinate response, legal/compliance needs, and user communication. Finally, reinforce security controls to prevent a recurrence, such as tightening access policies, enforcing MFA, and increasing monitoring. Other options miss the mark because simply increasing login attempts would risk further compromise or lockouts, notifying the user alone leaves access risk unaddressed, and disabling monitoring with unreviewed logs eliminates visibility and undermines the incident response effort.