It sounds possible. It may also be that their passwords are easily guessable using a dictionary attack. Have them change the passwords to something complex -- a minimum of 8 characters, using upper and lower case letters, numbers and special characters (! @ # $, etc.) in a random order that doesn't resemble any known words.
Also, are they using https instead of http to log into their email accounts? Yahoo allows you to require a secure connection -- anything not https is being sent in cleartext and can those packets can be captured and read by anyone.
And don't have them use the "Keep me logged in" feature. Those session tokens are capturable as well, hackers can use them to impersonate them and gain access to their accounts.
If the accounts are still getting hacked after the changes, especially if they switch to using secure https logins, then yes, it is most likely a keylogger.
Hope that helps.