Let me guess.... R8.1.67? There are more threads on this and it seems to be a bug in IP Office of some kind, nothing confirmed yet but unless you created remote access without the proper security then yes, the IP Office can be hacked but in a well secured config.. no way.
These are the steps to perform on any new install before connecting the system to any LAN:
Change the security settings, remove all unnessecery accounts and create a new one for yourself and one for the customer using complex passwords.
Lock down all connections you don't use like IPDECT etc.
Change the default system password, VM password and Monitor password.
Change the unique security account and give it a complex password.
Nevere ever link a IP Office direct to the Internet, always behind a solid firewall.
Use SIP trunks from providers who have a solid Session Border Controller or install one locally.
Allow only remote access to the IP Office through a secure VPN connection.
If done the above then it is nearly impossible to hack your system, but unfortunally there are a lot of installers now wondering what a "Session Border Controller" is and "Security settings? Where can i find that in my config?". These are not the kind of partners to work with these days.