I would need more information on how the site is set up, what web assist processes are being used on the site.
The first place I would look is for using the HTML Editor File manager and not using a security assist login to protect it.
When you add HTML editor to a page, and enable the file manager, make sure you are also using a security assist access rule to protect the file manager. if not, it can be accessed directly.
It is also possible that they are accessing the FTP directly and not using a security hole in the site.
Change the sites FTP access credentials.