Most of these suggestions assume Google email accounts.  Here's what I'd suggest to summarize:

Disable the account first! (already done)
Review where the account had been logged into.  Get screen captures of the data.
Change the password.
Consider having the user leverage a second-factor for authentication.
Reset sign in cookies as per another suggestion.
Run AV on the user's computer(s).
Ensure a level of password complexity for the new password.
Re-enable the account.
Review their Sent messages and ALL Mail views.  Also ensure they are receiving emails correctly.  Sometimes hackers will add a rule to GMail to archive all inbound messages.  This way, the owner doesn't see the delivery failures, etc.

Verify where they access their email from.  Is it from home as well on a different computer?  Suggest they run AV there as well.

That's the basics.  



On Thu, Feb 9, 2017 at 10:06 AM, Christine Gibson <[log in to unmask]> wrote:
I would also suggest that you reset the sign-in cookies.  This will kick out anyone who may have been signed into the account.  Simply changing the password does not terminate all current sessions.  You can find the switch to reset the sign-in cookies under Account in the Google Admin Console.

Christine Gibson

PowerSchool Data Manager
49 Charles Avenue
Middlebury, VT 05753
[log in to unmask]
802-382-1720

On Thu, Feb 9, 2017 at 10:01 AM, Raymond Ballou <[log in to unmask]> wrote:
Edith

Not sure why it doesn't list change password, but here are the suggestions from Google.



R

-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT