OK, it sounds like what’s happening is common among password protected sites. Knowledge is power, so when this starting happening to a friend of mine, I started to research. The way hackers get these username and passwords is by constantly hitting the server with predefined usernames and passwords. Basically, any password that’s deamed “easy” such as; password, 12345, 54321, 111111, 333333, you get the idea. Stuff that people set as an easy to remeber password. So what happens is this program keeps hitting the server trying all the combinations of usernames and passwords, until they get a match, usually they do.
Now that you know how it’s done, now you can starting preventing it. How so? by making both the password AND username ‘secure’. Basically a combination of letters, both upper and lower-case, numbers, and special characters like %. The best way to do this is to prevent users from creating their own password, at all. Or make it always go through you. Now you can do somewhat simple things to secure it. Take the password, “password.” Using some characters and numbers, you can come up with “P@ssW0rd” (the “o” in word is the number 0). Just making those simple changes can really secure it.
So what should you do? First off, let those users that have the “stolen” passwords made aware that their usernames have been stolen and have been removed and for them to email you back with new contact information. If after securing the passwords like above, you STILL see the passwords on websites, then email them again and said their password has been stolen and to arrange for a new username and password. If it STILL shows up, then I would suggest the person(s) are purposely sending those to websites. In that case I would susspend their account (3 strikes and your out). Just make sure you specify that in your user aggreement somewhere. This is a rather “benefit of the doubt” approach. A lot of secure sites say that the first time it happens the account gets cancelled without refund.
Hope this all helps.