There are others here that know more about security - I speak from time here and running my own sites.
The weakest link is your password into your blog. I deal with an amazing amount of blogs which have the same login for the blog / cpanel / ftp / mysql etc etc. So if you had the same pw for 7 sites, that could be the issue.
Your host will say that anyway. (Who IS your host ?) It's a lazy way of doing nothing and blaming someone else.
666 ? Files should be okay at 664 but even so, whoever did this had access first - and I still say that it is 99% more likely that this is unrealted to WP but they picked on those pages because they are public.
1 - Who is your host ?
2 - Backup
3 - Consider finding another host.