I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?
There isn't any way in which to actually get password from the database (for example, even from the database, I couldn't tell you what your password is). So if someone is sending you usernames and passwords that are genuine, its very likely they have gotten it from another source. We often find that users using the same password across multiple platforms are the ones that get targeted.
Of course, if you have more specific information, please do feel free to contact our accounts department on the contact us link below (or pm me, that's not a problem). But a list of usernames and passwords being sent to you won't have come from your IPS database, as they simply aren't stored in a manner that is readable and would allow that, even with full access to a sites database.
If you have many customer accounts that have been compromised, I would advise you force all users to change passwords on your site, which you can do from the members section of your admin CP