Ok. The password reset email was sent to four addresses. I can already confirm that two of them are not compromised. We are waiting for the rest to wake up and check their email accounts. The email account compromise is the direct cause.
This is ridiculous. Password reset emails are okay for forums; but not for anything which needs real security.
Emails are postcards; it doesn't need an email account compromise to do this, just someone sitting on the appropriate router with a traffic sniffer.