Telecom Junkies published an interview with Robert Moore, who has been convicted of VoIP hacking / fraud. In the interview, Moore explains that they used easily guessable passwords as well as default ones to get free VoIP service. The VoIP-based attacks targeted H.323 not SIP. Similar attacks to ones described in the interview can be launched on SIP based PBXs by making use of svmap, svwar and svcrack.
Moral of the story: audit your PBX now before someone else does ;-)