Agree with Marcus - if this is a former emloyee/developer, then he/she hasn't really needed to 'hack' anything. They are probably simply using existing authentications that have not been properly reset.
It would be nice to think of a level of professional trust - but cynically, that doesn't necessarily exist, and in some circumstances of 'former' employees, a complete reset of user passwords, right through to the basic server hard metal admin access needs to be reset (depending on what level of access they may have had, officially or unofficially, previously).
Any kind of user and password that they may have had access to, on any system, needs to be changed, including server access, ftp/ssh, database users, moodle (and other system) admins etc. But if they've had that level of access you will also need to go through carefully to make sure they haven't given another user (or even a new user role) the kind of permissions normally reserved for a site admin.
Also, if you suspect illegal access and activity, you may want to contact the police!