VM has an established track record of seriously and deliberately breaching its legal obligations around protecting its customers' privacy and data protection and has been both fined and reprimanded by the Information Commissioners Office. 

It pays to read the full official judgements to behold the entitled arrogance of VM's attitude towards its customers and the regulator: 

https://ico.org.uk/media/action-weve-taken/mpns/4019153/virgin-media-limited-monetary-penalty-notice...

https://ico.org.uk/media/about-the-ico/documents/4021725/virgin-media-limited-letter.pdf

Virgin Media have been known to happily share its customers' private and personal emails with other random VM customers in direct breach of Article 82 of GDPR. 

Virgin Media has sent confidential customer billing notification emails, without authorisation and out of the blue, to their spouse, causing them to understandably believe that VM has been hacked. 

Once Virgin Media has routed you to its various outsourced and offshored ramshackle backstreet boiler room "customer service" outfits in India and the Philippines it will make it impossible for you to successfully complete your legal right to your data and call recordings by making the Liberty Global secure portal it uses for this purpose impossible to register for in order to actually access the data and call recordings (assuming they weren't conveniently deleted in the first place). 

Last September Virgin Media were formally reprimanded by the Information Commissioner's Office for failing to meet the statutory timescales on Subject Access Requests at an industrial scale of one in every five SAR requests (around 4000 delivered late or not at all).

VM are currently being closely monitored on its progress, if any, on this and further formal action may yet follow. 

Virgin Media use some tracking cookies on its website that have a programmed lifespan of a DECADE:

url.key (3649 Days expiry / 1st Party)

TrackingID (10 Years expiry / 3rd Party)

optimizelyOptOut (10 Years expiry / 1st Party)

mid (10 Years expiry / 3rd Party)

ig_did (10 Years expiry / 3rd Party)

VISITOR_BEACON (10 Years expiry / 1st Party)

Those decade old cookies listed above, rocking back and forth in their virtual rocking chairs, almost certainly breach the Information Commissioner's Office's rules on expiry proportionality.

According to the ePrivacy Directive, such "persistent" cookies (as they are known in the browser snooping trade) should not last longer than 12 months. 

At time of posting there are 846 results on a search of the term "hacked" on these community forum pages.

A scan through a good sample of these points to a significant and widespread security issue with mostly legacy (or "orphaned") ntlworld and blueyonder email accounts (there is a help page on hacked active accounts). 

A common and unfortunate experience (other than the bizarre and comical outbreak of "Hello Roger" password resets last November) is for the (ex) email account holder to have associated social media accounts subsequently hacked, to have friends and family spammed and harassed, and to receive sinister demands for bitcoin from the hackers.

This may be partly due to phishing scams. However there was a massive VM email data breach of around a million records in 2020.

In addition VM's password format policy, and lack of two factor authentication, has been criticised as inadequate.

Lastly, although there are arguments on both sides on this one, I think VM need to be more rigorous in fully and promptly deleting all legacy email accounts after a brief grace period and after reasonable warning.

As always I recommend VM email account users (including ntlworld and blueyonder) begin a planned migration of email to non- ISP cloud email accounts (it's a hassle, I know, but important) with the likes of Gmail and Outlook which, although not perfect in this regard, are at least portable, and are likely to enjoy more ongoing investment in security. 

As an aside on the above, and as a public service to VM and its customers, I did some further digging.

Fully appraised, and signed up to, VM's sensible Acceptable Use Policy, I used an independent data connection to check for the availability, if any, of hacked VM email accounts on the "Dark Web".

I am pretty much a complete newbie to this grim and depressing world and see no need to ever revisit it but for what it's worth it appears to be entirely focused on high profit margin transactions around drugs, crypto, hacked credit card and ebay accounts, and dodgy money transfers (as you would expect).

I couldn't find any hacked email accounts whatsoever and suspect they would be generally more hassle than they are worth for the hacker/scammer fraternity. (Had I done so I would have looped in VM and the ICO accordingly straight away.) 

Saying all of that I do hope that the data security team/person at VM have a more informed look than I can offer on a regular basis.

But I doubt it.