There are ways other than FTP to hack into websites: http://securitylabs.websense.com/con...erts/3421.aspx
If the sites are hosted on servers that you don't own and maintain, then contact the host company so that they are aware of the issue and can address it. It's likely, especially if your sites are all from the same host and especially if they are all on the same server, that the issue isn't specifically with your websites, but rather with the server having a venerability that has allowed intruders access to files.
Changing all site passwords is the first step. Switching from using FTP to Secure FTP (sFTP) is something you should also do. If your host doesn't offer sFTP, ask them why (sFTP encrypts passwords so they can't be intercepted like they can with FTP where they are sent as plain text).
Is there a script in common with the sites hacked? If so, look into whether they may be the source and see if there is an upgrade for it.