I wonder how they're doing it. If the wallets are password protected they have to somehow inject troyans with keyloggers. Otherwise they'd only be able to obtain wallet files but would need time to crack them. Maybe the wallets had no passwords? That wouldn't surprise me...
I think it's more like they managed to manipulate the system in such a way, that they are able to request many weigthy withdrawals to their preferred addresses. Even if that isn't the case, the exchange in question could take immediate action by double spending their coins with an insane fee, so that the chances are high that the outgoing transactions from the hackers will drop. As long as there aren't any confirmations, the hackers don't actually own the coins.
That would be a smart thing to do. I'm quite sue all payments are handled manually, so someone must have confirmed it on all those wallets.
There should be a rule that all big payments are verified before being sent. It's either an inside job or they were naive and careless.