account hacked php mysql - helper needed

I have a website that uses php and mysql. The website software is pretty straightforward using php and mysql. I do not want to post the website name because I don't want google to index this post. There are a few sites using the same software so you will fix the first one and then apply the changes to several others. Here's the problem. A hacker (presumably a user in my system but I can't figure out which one) has managed to get access to the database. The hacker emailed all the user passwords to all the users along with their names. So either the script has been hacked, or the mysql etc. I need an experienced programmer to look at the code, change all the mysql passwords etc. (maybe the path to the files too) and determine where the security flaw is and fix it. Added features like captcha etc are helpful. All the user passwords need to be randomized and changed (there are less than 600) and I need to be able to email all the users their new passwords when this is done. Also, I need to confirm only the actual mysql users and databases exist. I'm not sure if the hacker uploaded anything etc. This is a little poetry website. It does not make money and there is not real sensitive data but the users like it.