First off, why did the IT consultant have someone else's password? Why did he give it out? Sounds like they need to stop using a consultant that can fall for a stupid social engineering trick.
As a matter of fact their CIO is an old mainframer who has little understanding of client-server networks. As a matter of fact, he's really old school mainframe and pretty much hates the whole idea of having distributed processing and distributed control. We argue all the time...

But they use a host for their website, cuz they actually don't have anybody on staff with either the experience or the desire to run the web site. (I think it may be a motivational problem, truthfully.) And since the host offered an email solution to them, they jumped on it rather than install their own (against my advice).

I advised them against the hosting idea w/email. I said "if that's the route you want to go with your web site, then okay, but don't let them admin your mail, as it puts you at their mercy when things get screwed up..." And I didn't say it in so many words, but I basically told them that they paid good money to have me come onsite to do my first 3 assessments and that it was their choice to go against my advice, I get paid one way or another. And now, I'll get paid to go back at least one more time...