In terms of being "Hacked", your Dongle needs to support 29Bit SW Can (For the VE models).
This rules out a lot of the cheap chinese ELM327 stuff out there.
If you have an OBDLink style bluetooth connector (or a modified GTOSoft device that connects directly to the SW Can Bus), then yes, you can be hacked if it is plugged in (Even with the ignition off, keys removed, car locked / parked and the owner of the vehicle long gone)
(You can easily send a 29Bit Canbus command to wake up the devices, then send a door unlock or boot release command).
With android devices supporting bluetooth serial, you could even do this using a half decent phone.
Not many people know how to do this sort of stuff (Only a dozen or so that I know of), but it is definitely possible.
Though I have to admit to leaving mine plugged in occasionally whilst the car is garaged.
If anyone is intersted, do a quick google search for GMLAN Bible. (Which is VE SW 29Bit Can bus specific).
As for power consumption, I have founf that the OBDLink model I have is very good in terms of standby power consumption.
(It chews about the same as the GPS tracking devie I have installed).