I wouldn't be surprised if forwarding is a "This account is compromised" indicator and is unintentionally short circuiting and causing accounts to be locked out.
That makes sense in my scenario... im in this scenario, but if true, that just means the owner loses the account and the alleged infiltrator(s) keep the forwarding.