Wait, are they getting the passwords of users and taking over their accounts? Could they not just be poor passwords that have been brute forced or figured out from patterns of passwords or even commandeered email accounts? If that is the case, it may not be the sites issue.