Thank you for the reply Karen.
1) My FTP password is not stored in the soho admin programme (an old one was logged there but since deleted.)
2)email_friend/write review features long since disabled in my shopping pages.
3) I'm very concerned, as to alter the code on a module itself, you need access to it via BlueVoda or cPanel, and hence the password for these areas. My password is changed quite regularly, and I thought even a brute attack on it would result in a lockout so to speak.
I'll submit a ticket and see what response I get.
Regards
AndyP