Thanks Tiger Shark,
Ouch.... You are in one of those touchy situations that is probably all controlled by your contract. This means you are somewhat between a rock and a hard place. You contracted to provide services, for whatever reason you failed to provide them as stated, they, (will tell you), used only authorized logins and passwords to gain access to the functionality they needed. See, because you had the secondary login packaged in an executable that you placed on their systems that login was authorized and was only placed there for their convenience....
Well, yes! It is a very difficult situation, because unless we initiate legal action, we are bound to provide the service. We cannot just shut them down. Not unless we are in a position to defend ourselves legally and technically.

Any decent lawyer will make your position untenable and will probably actually shred your arguments in a courtroom.
The law here is very incomplete in these matters. And trials lasts somewhere between 2 and 10 years. We don't want to go in there. One possiblity is to wait for the contract to end (I think that should happen sometime in the next three months).

I don't know the exact situation there between your company and the offending client but, were it an "appropriate" relationship I would seriously consider a meeting between yourself and the people that effected this "non-standard functionality improvement" and see if between the two of you you can't help eachother... In the long run it may benefit both of you and it would certainly do wonders for the level of trust, (or lack of), between you right now.
Well, we did, I wasn't invited to that meeting, but it was more like a 'show intention of good behaviour' thing. They had reasons to criticize our systems. I don't excuse their actions, but they had grounds to state that we were not providing responsive services.

Late last week, we solved the issues they complied about, and since last friday COB they said they would continue to use the proper channels. I don't know, because now I don't trust them. Anyway this is a reminder of the fact that our systems can be cracked, our servers can be accessed, and we are more vulnerable than what we would like to admit.

Thanks a lot.