Users should contact their account provider, institution, or employer to alert them of the compromise. They should update the credentials (e.g. password and MFA method) associated with the account, as well as for all their other accounts, as attackers can use one set of credentials to try to gain access to other accounts.

Organizations affected by ATO should immediately revoke access for the affected account, then look for indicators of compromise (IoC) to see if other accounts or parts of the network have also been impacted due to lateral movement. Rotating credentials and keys for all internal systems is advisable as well. They may want to contact law enforcement if necessary.