We didn't have the site tightened down quite enough. We made sure that there were no areas that could be manually exploited with the old password and had to go back to a version of the site that was before the hacking began.

We have gone a few days now without a third incident, so I believe we stopped them. I know it is probably frustrating but I do believe we are good now.