The relationship is the problem.

Calculating the levenshtein distance is the first thing that comes to mind, then creating a regular expression that covers any leaked passwords tied to the same account.

This is all easily scriptable and two leaked passwords might be all a script needs to discover the pattern. Once the pattern is known, all of their passwords become knowable.