This comment started out short…
As far as I can see, there are several explanations for this story, ranging in likelihood:
1 - an attacker really is capable of performing the almost 1000000000000000 attempts required to guess a random 10 alphanumeric password in a day without being blocked / rate limited as a massive DoS.
2 - the customer in question’s idea of a random 10 character password is “Password12” and they are simply outraged at their inability to make it the intended “Password123” or “Password1!”.
3 - the attacker has gained access to Virgin Media’s internal password hashes (or plaintext database), making such a daily brute force at least theoretically possible (albeit at significant expense) but is thankfully only interested in messing with a single customer’s account.
4 - their machine has been compromised (and no amount of password strength is going to help them). If this device is in fact their phone, this may also render some methods of 2 factor authentication rather weaker than expected.
5 - they are using a password manager and their mystery attacker has managed to gain access to it.
6 - someone is simply spoofing their email address in emails to known contacts (phone apps commonly steal these, so I assume lists of known contacts are available for purchase to the well heeled hacker) and this reg reader has mistaken this as full access to their account.
Regardless of which of these possibilities I think is most likely, if I were in this situation, I’d probably start with leaving ISP email accounts in the 90’s where they belong! Likewise, while I understand some limits being placed on passwords (i.e. length / complexity limitations to help avoid exploitation of vulnerable password verification implementations), 10 alpha numerics is pretty shocking in 2022. Putting aside my personal hatred of any enforced “strength” requirements on passwords (adding an “1!” To the end of a dictionary word does not make it a pssword appreciably stronger - especially where this is enforced). How hard can it be to simply verify a user isn’t attempting to use a password on any list of compromised credentials and is not a reasonably guessable combination of dictionary words / phrases)?