As this is my first, I'm unsure nature of the breach and what i need to do.
I have check a few sites (i.e haveibeenpwn) for breaches, but found none

As a precaution i have:

• Suspended the DA user account and server for a day. (i control both user and reseller account)
• Change all user password in the domain.
• Change SSL (after i unsuspend later)
• Notify the provider of the breach

So do i need to do anything else?
How do i know if its a simple password breach or much worse?

EDIT:
changed the title to reflect nature of the breach
Found the offending pc. office user brought their laptop to a 3rd party services during the weekend.
so far seems to be a spambot, scanned all the other check the entire office pc seems good.
wasted entire day

they call it confidential email

https://www.zoho.com/mail/help/confidential-email.html

What's a SecurePass Email?

SecurePass Email can be used to send confidential information or data that is shared by email but shouldn't be forwarded, downloaded, or copied&pasted. A link protected by a SecurePass code will be forwarded to the recipients via email. The secure passcode will only be sent to the actual recipient's email address, and the recipient must enter the code to view the email's content, which cannot be forwarded, copied&pasted, printed, or downloaded. The SecurePass Email can be set to expire after a certain period of time, after which the recipient will no longer be able to access the link and thus the content in the email.

My (non-expert) feeling is that this is something similar to Tutanota/Protonmail - two "secure email" services that I have used.

Any thoughts? Experiences??

( we use the subscription service for our business, not sure if it is applicable for free tier.)