compromised account workflow

We've had a couple of issues with compromised or purportedly compromised accounts recently.

A recent example: https://gitlab.slack.com/archives/C4XFU81LG/p1563471678180500

I think we have a good SOP, but I don't think we have the steps clearly documented.

Let's do so!