That was my first thought, but then I realized they wouldn't need to know the password on the exchange sites if they controlled his email.

Now that he knows hackers view him as an easy score, he should probably up his security.  Maybe go as far as making a new email just for the exchanges, and only access everything through a virtual machine he does nothing else with.