# Internal Security Escalation — Sev-1

**Route to:** security-oncall@runcomfy.com
**Date:** 2026-04-13

---

## 1. Ticket ID

LCH-10455

## 2. Customer Name and Account ID

- **Customer:** Priya Nair
- **Email:** priya@latticevision.ai
- **Account ID:** acct_91aa40
- **Plan:** Business

## 3. Observed Indicators

| Indicator | Detail |
|---|---|
| Suspicious login #1 | 09:36:14 PT — IP `103.149.32.44` — Singapore — **success** |
| Suspicious login #2 | 09:39:08 PT — IP `45.86.210.17` — Bucharest, Romania — **success** |
| Password changed | 09:40:51 PT (not initiated by customer; customer reports password stopped working) |
| Unauthorized API key created | 09:42:03 PT |
| MFA status | Not enabled |
| Risk score | 0.97 (critical) |
| Customer location | Seattle, WA — no travel |

Two successful logins from geographically distant locations within 3 minutes, followed by a password change and API key creation, strongly indicate credential compromise and active unauthorized access.

## 4. Immediate Actions Requested

1. Lock all active sessions for acct_91aa40.
2. Revoke the API key created at 09:42:03 PT.
3. Force a password reset on the account.
4. Require MFA enrollment before next login.
5. Audit account access logs for data exfiltration (API calls, exports, project access) between 09:36 and 09:50 PT.

## 5. Business Impact and Urgency

- **Severity:** Sev-1 — Active account compromise
- **Impact:** Business-tier customer with potential exposure of proprietary data and API access. Unauthorized API key could still be in use for programmatic access if not revoked immediately.
- **Urgency:** Immediate. Attacker had ~14 minutes of authenticated access with elevated actions (password change + API key creation).

## 6. Customer-Facing Callback Commitment

Customer has been told a Security Operations team member will follow up within **60 minutes** of this escalation with a detailed access audit and next steps.