I really wonder how they got in there

Someone could have just been brute forcing the email for the past 5 years. Although if it were that you think the provider would have noticed by now. I can only imagine how many failed attempts it would take for a decent password.

I guess we will just have to enjoy the popcorn and see if he reveals the attack vector.