For now, I’ll suggest you to temporarily disable login and sharing and do the usual data breach remediation protocol (things like notifying the users, storing the assets, or worse purging the account data)

For now I’ll just wish why I haven’t use Dot’s password.