Hey,

while I'm clearly on cryptsy's side in this case (I never ever had a single problem with this exchange, and even my only support ticket I ever had there - 2FA needed to be disabled due to my phone being stolen, back then - was resolved in a matter of minutes.

But of course cryptsy can change a user's password. As soon as there is an administrator who has access to the database (alternatively, this can also be the webserver process which MUST have access to the database in order to actually set a user's password, initially), the passwords can be changed.
There is no way around the fact that the owner/administrator of a website has control over the users' passwords (be it plaintext, hashed, hashed & salted or whatever). That's just fact. If you register somewhere as user, you are trusting that service with your password and you have to know that that service has full control over your account.