I don't think it could have anything to do with css sculptor or css menu writer. Are you using the HTML Editor anywhere? That has potential security holes if you don't add user validation?
Is this html only and no php? If so, then I don't think they could be getting in through the web pages. You may have a virus or spyware installed on your computer that is allowing the hacker to get your passwords.