I'd be interested in knowing how the hacker was compromising the accounts (after it was fixed, of course).
Probably completely off the mark, but still using the same session?
No, I forgot to reset the secret question/answer thing. That's a problem unique to this case.