© Springer Science+Business Media New York 2018. Compromised user credential (CUC) is an activity in which someone, such as a thief, cyber-criminal or attacker gains access to your login credentials for the purpose of theft, fraud, or business disruption. It has become an alarming issue for various organizations. It is not only crucial for information technology (IT) oriented institutions using database management systems (DBMSs) but is also critical for competitive and sensitive organization where faulty data is more difficult to clean up. Various well-known risk mitigation techniques have been developed, such as authentication, authorization, and fraud detection. However, none of these methods are capable of efficiently detecting compromised legitimate users’ credentials. This is because cyber-criminals can gain access to legitimate users’ accounts based on trusted relationships with the account owner. This study focuses on handling CUC on time to avoid larger-scale damage incurred by the cyber-criminals. The proposed approach can efficiently detect CUC in a live database by analyzing and comparing the user’s current and past operational behavior. This novel approach is built by a combination of prudent analysis, ripple down rules and simulated experts. The experiments are carried out on collected data over 6 months from sensitive live DBMS. The results explore the performance of the proposed approach that it can efficiently detect CUC with 97% overall accuracy and 2.013% overall error rate. Moreover, it also provides useful information about compromised users’ activities for decision or policy makers as to which user is more critical and requires more consideration as compared to less crucial user based prevalence value.