You report a compromised key — with your confirmation the scenario deactivates it in AWS Cognito, audits the permissions, applies a restriction and reports to devino.