Overview
This article will explain the ACSIA alert called "possible account compromise again".
Explaining the possible account compromise again
"Possible account compromise again" means that there is a suspicion or indication that a user's account may have been breached or accessed by unauthorized individuals for a second time, after a previous security incident had already occurred and was presumably resolved.
Example: Let's say there is a medium-sized organization with a system used by employees to access company resources involving SSH (Secure Shell): a common method for accessing remote systems securely. Each employee has a unique account with a username and password to log in securely.
In the past, the organization experienced a cybersecurity incident where attackers managed to compromise some employee accounts. The IT team promptly responded, reset passwords, and implemented additional security measures to prevent further unauthorized access. They believed the issue was resolved.
However, after a few weeks, they noticed a suspicious increase in failed login attempts on several employee accounts. It appears that someone is trying to gain access to these accounts again, using various login credentials in an automated manner.
The IT team becomes concerned about a "Possible account compromise again." They suspect that the same attackers may be attempting a second attack, trying to exploit any potential weaknesses that were not fully addressed in their initial response. The team takes immediate action to investigate the situation, reinforce security measures, and protect the affected accounts to prevent any unauthorized access and potential data breaches.
ACSIA alerts you when there is a possible account compromise again on your infrastructure. Here's all the information that ACSIA shows you in the Live Notification:
Also, on the right of the above screen, we can see the actions that a user can perform in such cases.