In one instance, they got into an internal extension and cracked it - was just 4 digits, easy. Quoting Jeff in one of the post you refer to:
"It doesn't matter if your extension is set for internal or not. Internal/external simply turns on Asterisk's nat processor (nat=yes). It doesn't stop SIP packets, which is usually all these guys are interested in".
Nice part of it is that my ISP only charged me their cost price, as per Australian regulations - ISP cannot profit from fraud. So the $2,000+ ended up around $1,100. Nice markeup hey, just under 100%, and this is one of the more competitive ISP. Telstra et al a doing a lot better obviously. We in the wrong business....