How did Pharma Hack Spread to Updated Secure Sites?

We recently had a small CentOS machine running around 10 sites. Some of the sites were up to date and secure (security plugins etc) and some were not up to date due to their reliance on older plugins.

We recently got hit by a variant of the Pharma hack that just goes through the sites and includes outbound links to Cialis and Viagra sites etc.

The most troubling part is, on inspection, all 10 of those hacked sites had a new Administrative user named ‘user’ and obviously all administrative rights.

My question is not how they got in (we will have to investigate that further), but how did they spread from their entry point to sites that were locked down pretty well?

I am assuming they found a way to write in a new user, but how did they then write in a new user into another domain space? More importantly, is there anything we can do on the server level to create a better barrier between databases on a shared environment?