The configuration was just a file. The file format was standardized to allow any modem to work I believe, so in theory someone could replace the configuration file without much effort. The ISP would know the CM MAC, possibly another identifier (it's been a while, I don't recall everything), to know what services/speeds to allow for a particular customer, and know which config to send them. If the ISP just make the filename for a customer the CM's MAC, it would be easy to replace for just one user. If it looked up which configuration to supply a customer from a database, you'd need to tweak that. As the configuration selection gets more complex, you might just get hackers replacing a config shared by hundreds or thousands of customers... the massive uptick in traffic that would cause would likely cause trouble. No idea how quickly they'd find the replaced config, but if it was affecting everyone on the same plan, I imagine they'd clue in pretty quick.

I'm not aware of how people abused the system or how the ISP configuration side was generally done, but it sounds plausible. What I don't recall if is the downstream bandwidth is actually listed in the CM config, since only the CMTS needs to know the limit on what it can send, or what upstream bandwidth to allow. A CM can request to download whatever it wants, but the CMTS will throttle your downstream and upstream bandwidth however it wants. If it's in the config, and if the CMTS reads and uses the same config, then sure.

Even if they were separate configs, and the CMTS config was non-standard, people may also just just copied the higher-end CMTS config over top of the lower-end one. Who knows.

But yeah, if you did it in a way that affected everyone, you'd probably cause enough trouble to get noticed pretty quickly.