You may want to check your audit log's for known bad ip-ranges. We recently had several users hit from the 41.219.x.x range and the 81.199.x.x range. If you want to verify an account has been compromised after the fact, check the audit.log files for odditie's with login ip's. If you think an account is compromised, grep the log for the account and compare login ip's. I've seen the above IP ranges from several compromised accounts.