Apparently the S/MIME signatures match just fine ... it is possible they got ahold of their private keys as well to sign messages, but that would be more difficult than hacking the central servers as private keys are stored locally on the clients machine.
Not necessarily. You can copy private keys to different machines just as easily as you can copy anything else. Since it's important not to lose private keys, it's plausible that lazy and/or ignorant persons would copy them to central servers for easy retrieval. It's much more hassle to burn to a CD and put them in a safe deposit box at the bank, after all.
Apparently the S/MIME signatures match just fine ... it is possible they got ahold of their private keys as well to sign messages, but that would be more difficult than hacking the central servers as private keys are stored locally on the clients machine.