I think the best way to handle this is to just send them their password without reseting it. They have to have access to their email account to retrieve the password. You can suggest in the email to change their password themselves.
If they keep getting the same email, they still know someone is messing with their account but it will have little affect on them. You could always block the IP address of the offender if it got to that level.
You don't want to get too fancy or you'll drive visitors away. You have to balance the hassle factor with the sensitivity of the information you are trying to protect. You don't want visitors to jump through hoops if it's just their shipping address.
