If the above two keys are leaked, then your master private key at the account level (m/44'/60'/4') can be back-calculated. That means, **any private key** (both receiving and change) that you derive from that account is compromised.

To elaborate, BIP 44 uses non-hardened derivation to derive private keys after the account level. The child private key derivation equation is `kchild = kpar + hash(Kpar, cpar, i)`

. Here `k`

represents private key, `K`

represents public key, `c`

is chain code and `i`

is the index. Now, since your `xpub`

at m/44'/60'/4' is leaked, the attacker has `Kpar`

(first 256 bits of `xpub`

) and chain code, `c`

(latter 256 bits of the `xpub`

). Since your child private key (m/44'/60'/4'/0) is also leaked, that means the attacker has `kchild`

. Using the above equation the attacker can simply back-calculate kpar. Even if he doesn't know the index number (0 in your case), the attacker can simply run an iteration (just a space of 2^{31} to exhaust).

Since your parent private key at the account level is compromised, you cannot use any addresses derived from the m/44'/60'/4' account unless you want to lose your bitcoins. However, you can safely use m/44'/60'/5' or other accounts.