[Urgent] Review Locked Account - user@dev.com #22
Description
User Details
- Email: user@dev.com
- AccountID: 19
- Concierge Chat: https://www.expensify.com.dev/concierge/#/chat/4
Relevant SO Posts:
- How do I action a Review Locked Account GitHub issue?
- What does the Lock Account feature do and what actions are locked when the button is pressed?
This user wants to unlock their account, which was previouslylocked due to suspicious activity! You've been assigned to review their account and take action on anything suspicious.
Please reach out to the customer via email or phone to ensure that anything a bad actor could use to access Expensify (mobile phone (sms login or using mobile app), email account (to get magic code), wallet (use of physical Expensify Card) are all secured or replaced before unlocking the account.
Since their Expensify account may have the email address or phone number changed to the bad actor's details, check their company website or online listings for any authentic contact methods and use those to reach out. If an admin locked a user's account on their behalf, reaching out to them via email is a good first step. If you are not sure how to reach out to a customer or unsure if you have the correct details, post in #concierge-operations for a buddy check.
- Check login methods - Make sure that no additional login methods or copilots have been added. If they have, work with ring0 to remove any unwanted logins.
- Check compromised Expensify Cards - work with the customer to rotate any Virtual Expensify Cards or Unlimited Virtual Cards that may have been compromised. Dispute any possible unauthorized transactions, otherwise explain why they can't be disputed.
- Check recently reimbursed reports - check to make sure any recently reimbursed reports are legitimate, and work with the user to cancel any suspicious reimbursements.
- Check Workspace Members - Check the policy audit logs to see if any suspicious workspace members were added recently. Lean on the side of removing them, if they're incorrectly removed the admin can add them back in.
- Check Domain Admins - check for any suspicious recent Domain Admins. Lean on the side of removing them, if they're incorrectly removed the admin can add them back in.
- Check any VBAs for recent share requests and deny them/remove them.
- Check the logs to see if the bad actor reset/enabled 2FA - If so, work with their Domain Admins to reset this, or rope in Ring0 if needed.
Only once all actions above are complete:
- Use the Unlock Account tool under Supportal > Special Access to unlock the account.