Well, gentlemen, I think you are collectively in with a very good chance of being correct...

I just took a look at my HomeHub settings and found "allow UPnP" enabled. I don't recall doing it, but I must have as I can't believe it'd be the default setting.

Needless to say it's now disabled but in the mean time someone (ostensibly an IT services provider in California according to whois!) has successfully connected via FTP according to the log. Damn. They were connected for about half an hour before I realised and hit the "off" switch supplying the Home Hub.

I now have a new external I.P address (confirmed) as well as having switched off external UPnP but now need to think what to check for malicious intent.