It seems like they tend to not change the account password. If anything, changing the password could be counterproductive because they seem to want access to look for stuff more than exclusive control. the longer they have access more likely they are to find something valuable.
In terms of notifying them, I think an email would be appropriate, although straight up saying that the customer's account has been compromised might not be the best idea because the hacker could update their software to look for that. It might be better to send an email about some billing issue, and when the customer calls then explain to them that their account has been comprimised.
Whatever wording they chose, if any major email provider they went down this route hackers would learn to identify these emails soon enough and automatically delete them from compromised accounts
They could. The success of that approach would vary though. The email provider could look for that too and resend the email. They could also disallow rules that block emails from them in this case.
The user could also get the email on their device if the hacker doesn't delete it quickly, which is a possibility given the low and slow nature of this scheme.
In terms of notifying them, I think an email would be appropriate, although straight up saying that the customer's account has been compromised might not be the best idea because the hacker could update their software to look for that. It might be better to send an email about some billing issue, and when the customer calls then explain to them that their account has been comprimised.