I was actually thinking about this last night and what possible UX options there could be. Since everything is cryptographically signed, there's no "password reset". But could some sort of bridge be built from latest valid note on compromised account to new verified account that would allow users to still maintain all of their data and history if they'd like? Is this something that could possibly be added into NIP-05 JSON object that includes "past keys" and a nested "last event" or something like that? There would have to be additional security that doesn't allow the bad actor to mimic the same process as well.