"If it works out of the box, why change it?" – because that’s precisely what cybercriminals rely on.
Leaving devices or software in their default state is like moving into a new house and never changing the locks. Fraudsters know that factory settings are one of the easiest doors to walk through.
Hardware – the forgotten locks
🔌 Smart cameras, routers, and IoT devices often ship with the same username and password, like "admin" and "1234." The infamous Mirai botnet[ref] began by scanning the internet for 64 known default combinations, infecting over 600,000 devices. It’s still evolving, recently hitting 5.6 Tbps in DDoS attacks.
📶 Home routers with "remote management" or "plug-and-play" left on can be hijacked to reroute traffic to fake banking or login pages. Even Juniper routers were scanned and exploited in late 2024 when left with default credentials.
🐠 The casino fish-tank hack[ref] became legend — attackers stole a Las Vegas casino’s high-roller database through a smart thermometer that still had vulnerable default credentials.
🔒 Smart locks and building systems often come with default PINs like 000000 or 123456. Tests show many users never change them, letting anyone open "secured" doors with common codes.
🌍 Search engines for connected devices like Shodan make it simple to find exposed cameras or sensors. Many still use default credentials, allowing anyone to view live feeds from offices, factories, or even city infrastructure.
📱 Mars Hydro’s 2024 IoT breach exposed 2.7 billion records, including Wi-Fi passwords and device IDs, when an unsecured database containing user data was left publicly accessible without password protection.
Software – built for convenience, not safety
🗄️ Databases left wide open continue to be an easy target. Tens of thousands of MongoDB and Oracle instances were ransomed because administrators never changed the default accounts or passwords.
⚙️ Enterprise software and automation tools like Jenkins or MOVEit have been compromised when test or setup accounts stayed unchanged. In 2023-24, the MOVEit breach impacted over 2,700 organizations worldwide.
🧑💻 Backup and monitoring tools were a favorite target for the RansomHub ransomware group in 2024 – they broke in through a default account often found in backup solutions, testing 5,000 common username-password pairs.
💾 RDP and cloud services are repeatedly abused through brute-force and default-credential attacks. These methods remain among the most prevalent initial access vectors for ransomware operations.
🤖 AI chatbots aren’t immune either – McDonald’s hiring chatbot in 2025 was cracked using the password “123456,” exposing 64 million job applicants’ personal data.
Why fraudsters love defaults? Because they save time. No need to “hack” when you can just log in. Reports suggest that 57% of IoT devices remain vulnerable due to outdated software or unchanged factory settings, and 15% of owners never change their default passwords. The same applies to businesses that skip setup steps under time pressure - and attackers know it.
🚨 What can we do about it?
For individuals:
- Change every default password immediately after installing a new device.
- Disable remote access or “smart” features you don’t need.
- Separate your smart-home gadgets from laptops and phones on your Wi-Fi network.
- Keep firmware and apps updated - automatic updates are your friend.
For organizations:
- Require password changes before connecting any device or software to the network.
- Scan regularly for systems using default or weak credentials.
- Replace or isolate devices that cannot change factory passwords.
- Include “no default settings” in IT and security standards — make it part of the checklist before anything goes live.
If your camera, router, or chatbot still uses "admin/admin," it’s not protecting you – it’s helping someone else watch, steal, or charge a ransom.