@James ... no offense taken ... our goal in responding is to help the OP. Yes, in this case, we do have difference of opinion and you are 100% correct in that those who choose to host a Moodle remotely have signed on to learn how to administer a server + the apps OP chooses to install. Problem is ... those one button click installers ... other things that make it appear to be 'easy' ... but we both know that's sometimes tip of the ice-burg.
I happen to have some recent experience with a 'spambot' ... assisting a 'webmaster' who didn't take of business. Server has been successfully eradicated of/from the issue. This to say, depending upon what, one doesn't have to assume the worst. BTW, it did take a couple of week to check things out.
One thing for sure ... OP is learning how to admin a server. Sometimes, new OP's have to learn taking the long route and lessons learned are painful but .... Would agree that the OP needs to inform users of the event and make recommendations users change their passwords - or force users to change password via Moodle (as OP should do also).
This situation also indicates the quality of the assistance OP is getting from hosting provider - so am in agreement on 'moving' for that reason. Moving, however, could mean jumping out of the pan into the fire!
'spirit of sharing', Ken