This can happen a number of ways- the most common is to access any VM user, then * or # until you get to the option to "login to your MB"- hackers will dial over and over until the figure out the correct pattern. Most of the time, it is pretty easy to do...admin mailboxes assigned as repetitive digits, with fairly easy passwords. This helps the installer to "remember" passwords to all of the hundreds of customers that they manage. I recommend that you CHANGE PASSWORDS for admin/manager mailboxes IMMEDIATELY! Also change the mailboxes to random digits. Also recommend you consider restricting VM from being able to access outgoing trunks. If the passcode length is 4, change it to 8. Make sure that mailbox lockout is enabled and set to max lockout duration as well. I used to have a great document on securing voicemail, I will share it if I can find it.