Unmeteted overnight usage.

If changing the wi-fi password has definitely cured the problem then it seems unlikely the original password was cracked because anyone with the capability to do that could do it again.  So either somebody who gained entry to the house read the password off the router or you had a rogue application on one of the devices.

How do we know the plusnet default passwords are random? My understanding is WPA is quite time consuming to  break

What type of router is it? (you mentioned the account has been held for 6 or 7 years, I think, so I assume it's an older model).
Generally passwords are randomly generated and programmed at the factory, when the unit is burned with Plusnet's custom firmware and settings.
Presumably you know what the original (cracked) password was - is it a random string of letters and numbers, or is it a word that would be in a dictionary? If the latter, then it could be cracked in a pretty short time (hours or even minutes), using a dictionary attack on the password hash which can be captured over the wifi radio when your Mother connects. If it's a random string and it's longer than 8 characters then it's very unlikely to have been cracked.
Does the router have WPS and a button to activate it? If so, it's possible the button was pressed accidentally. That would allow someone to connect if they were lucky enough to be listening when WPS was activated. I'd recommend disabling WPS if the router has it. It's not secure.
In terms of the new password, make sure it's not a word that would be in a dictionary (or several words). A random string of lower and upper case letters (with one or maximum two numerals) would be secure. The longer the better, but I'd advise at least 12 characters. Also, if the router and computers support WPA2, use that over WPA.
I hope your Mother is secure now, and not too put off by the experience!

She used to have a Dlink router, but it went bad and Plusnet supplied one last year in exchange for staying on a 12 month contract.
The password was a seemingly random selection of characters (I don't know if they are truly random mind you) that the router came with.
There hasn't been any excessive account activity since it was changed.  She is phoning Plusnet this afternoon to speak to billing, I have reminded her that a £0 limit WAS applied to the account before she changed package, and Plusnet removed it when the package was changed, which is rather underhanded and would have prevented all these excessive charges.

It's probably a Technicolor TG582n then. White plastic with a grid of holes on the back half of the top surface.
Very unlikely the router's original wifi password was cracked. The random password is printed on the bottom of the router and on the card that comes with it. If there really was a wifi intruder, then it's most likely either:

• The intruder has had physical access and seen the password;


• The intruder used vulnerabilities in WPS. There are two well known vulnerabilities which simply require the intruder to be in radio range when someone uses WPS to connect a device to the router. The first is documented here, the second in the transcript of a Security Now episode here (explanation starts on page 16). The TG582n router is susceptible to both vulnerabilities, apparently.

As a precaution, it's generally advised to disable WPS. There are instructions on how to do this for the TG582n on Telecom NZ's web site - should work for the Plusnet version too.

Yes, I believe it's a white one.  It came with a handy QRCode for setting up phones and tablets.  The card has been safely stored since it was set up.

In the past, people have figured out how to deduce the default WPA key based on the publicly broadcast MAC address / SSID: http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/

Well Plusnet are adamant that the charge won't be refunded, had nothing to say about the cap being removed on product change, and had the audacity to sell my mother a Home Phone package and a switch to the unlimited package... 
She is now locked into Plusnet for another 24 months as a result.
I have urged her to write a complaint, as it's not really on, not that it's going to do much good, as having already agreed to the phone package and is now locked into Plusnet, there is absolutely no bargaining chips left.
No particularly happy, and I will be MUCH more cautious about referring to close friends and family now, as I have seen the more evil corporate BT side of Plusnet in action.

Isn't there a "cooling off period" with that sort of sale?
Given that your Mother doesn't need unlimited and had phoned to complain about a charge on her bill, I'd describe that as mis-selling. Outrageous 

EDIT:
James has sorted this out in a satisfactory and efficient manner.  Many thanks.