please aks all your people who have logged in there to change there passwords elsewhere
* if it is the same
* if is has the same letters, structure, logic
take a totally different password from anything for your principal emailaddress
you will always need your principal emailaddress to contact services if things are compromised or have to be verified
all those firms and organisation have also to block all their accounts of their members who have logged in to easypay to be sure that they don't use the same password. You can't wait untill they say so or did so and you have to obligation as a good housefather and as a securityperson to protect your network and data and as you know now that their passwords are on sale online that you have to limit the risk by whatever means you have (and that means is to reset all the passwords of those people using your extranet or external protected services) and in some critical infrastructure like belgocontrol and isabel even their internal passwords (because I suppose that you don't have the cheap but effective double authentification methods)
you can't know when the data will be sold and to who
the costs of doing so you can eventually try to recuperate on easypay by filing a claim in court - enough evidence to do so - because they were really negligent
oh and if you are a bank or you use personal private data and so on - than not blocking all those passwords - makes you NEGLIGENT - and if something happens - YOU ARE IN COURT
some say I am paranoid.
I prefer to be a bit paranoid and not end up in court.
and so and so on
1000 of the 32.000 are here