This is Part 4 in Cloud Sherpas’ Top 10 Tips for Email Administration in Google Apps
Hopefully you never run into this issue as a Google Apps Administrator, but it’s very important to be prepared in case one of your users experiences unauthorized access to their account.
The first step is to access the Google Apps Admin Console and identify the account that has been compromised. You should always change the user’s password, immediately upon hearing an account has unauthorized access.
Resetting the sign-in cookies will ensure that any active session will force the user to sign back in, so if someone doesn’t know the new password they won’t be able to access the account. You should also check to see which applications have access to a user’s account, where the unauthorized access may have occurred.