Was this a Yealink phone?
By default there is a "user" account with password "user". If the phone was open on the Internet via HTTP or HTTPS it could be the case that this was accessed and a high cost fraud destination set as the call forward code. This allows them to make outbound calls by...