Which of the following practices should an incident responder not follow while recovering after an email security incident?

Changing the passwords of the affected email accounts is actually a critical step in incident recovery, especially after an email security incident. When an account has been compromised, resetting the password helps to prevent further unauthorized access and ensures that the attacker can no longer exploit that account.

In the context of incident response, documenting the incident is vital for future reference and understanding what went wrong, while notifying all users about the incident helps raise awareness and ensures they remain vigilant against potential phishing attempts or follow-up attacks. Stopping all outgoing emails from the affected accounts can prevent additional malicious activity and limit the potential impact on other users.

Therefore, the practice of changing passwords should indeed be followed as part of effective recovery procedures, as it directly addresses the security of the compromised accounts.