As this is my first, I'm unsure nature of the breach and what i need to do.
I have check a few sites (i.e haveibeenpwn) for breaches, but found none

As a precaution i have:

• Suspended the DA user account and server for a day. (i control both user and reseller account)
• Change all user password in the domain.
• Change SSL (after i unsuspend later)
• Notify the provider of the breach

So do i need to do anything else?
How do i know if its a simple password breach or much worse?

EDIT:
changed the title to reflect nature of the breach
Found the offending pc. office user brought their laptop to a 3rd party services during the weekend.
so far seems to be a spambot, scanned all the other check the entire office pc seems good.
wasted entire day

In broad strokes, here's a summary of what Heimdall does:

• Heimdall is a self-hosted email alias/forwarding service
• It's a self-hosted and self-managed service, you have complete control over your data

It allows you to:
1. Receive safely: Receive emails on single-use aliases and forward them to your personal inbox.
2. Reply anonymously: Reply to emails from your alias without revealing your personal email address.
3. Attachments: Attachments are supported on incoming and outgoing emails (subject to size limits - see below).
4. Email commands: Manage your aliases through email directly - no separate app or website required.
5. Usage stats: Easily check the usage stats of each alias.

Disclaimer: I have nothing to do with this project. I read the article and wanted to know what you think of it.