I backup all user files from "helen" nightly. I found a suspect file in one directory. It came from a hacked Microsoft IIS server in Indonesia. That doesn't mean the culprit is Indonesian merely that a server in Indonesia was compromised by someone somewhere. Both Google and Microsoft rated the IP as "safe".
I archived the file and changed the user password. The goal is to end password logins and replace them with "public keys". That is going to be disruptive - think repeal and replace.