In the fast-growing Internet, legitimate user accounts can be stolen by attackers, posing a serious threat to network security. Therefore, compromised account detection is an urgent problem. Most existing work is based on the behavior and content associated with posts. However, these approaches cannot detect anomalous behavior that attackers only collect information in the early stage, and often fail to consider temporal features. In this paper, we propose an access behavior-based two-stage compromised account detection framework, called AB-TCAD. In the first stage, we propose a novel feature called URL graph that depicts a user's website access pattern. To analyze abnormal changes in user access patterns, we design an AddEdge-GNN algorithm that detects similarities between URL graphs and obtains suspicious accounts. AddEdge-GNN predicts potential new user access behavior and reduces misjudgments that treat normal behavioral changes as anomalies. In the second stage, we propose an RVAE-based temporal detection. We construct temporal features of access behavior in multiple dimensions and use RVAE to detect anomalies, thereby identifying compromised accounts. We perform a real-world evaluation using data from a production network. The results show that AB-TCAD outperforms existing solutions in terms of both precision and recall metrics.