Hacker Leaks More Than 500K Telnet Credentials for IoT Devices

Bad actor obtained passwords for servers, home routers, and smart devices by scanning internet for devices open to the Telnet port.

A hacker has published a list of credentials for more than 515,000 servers, home routers and other Internet of Things (IoT) devices online on a popular hacking forum in what’s being touted as the biggest leak of Telnet passwords to date, according to a published report.

The leak—revealed in a report on ZDNet—demonstrates once again the inherent insecurity of the Telnet protocol as well as highlights persistent security flaws that could affect business networks as more and more so-called “smart” devices connect to the internet from home networks.

Threatpost Webinar Promo Mobile App Security The hacker compiled the list–which includes each device’s IP address, as well as a username and password for Telnet–by scanning the entire internet for devices that were exposing their Telnet port, according to the report. The bad actor then used factory-set default usernames and passwords and/or easy-to-guess password combinations to gain credentials, according to ZDNet.

The list the hacker compiled is known as a “bot list,” which IoT botnet operations rely on to connect to devices and install malware. The hacker, who himself is a maintainer of a DDoS-for-hire—also known as a DDoS booter service–according to the report, had a vested interest in compiling such an extensive list because of a change in the way he conducts his business, according to ZDnet.

The one spot of good news for those owning devices on the list is that all the credentials leaked by the hacker are dated October to November 2019, which means some of the devices might now use different login credentials or run on different IP addresses, according to the report.

Telnet is a remote access protocol that can be used to control devices over the internet, is a notoriously weak service that can easily be backdoored. Hackers have long exploited the service in DDoS and other botnet-related attacks.

The latest password dump is a reminder not just that the service itself is inherently insecure, but also stresses once again that IoT devices should be secured out of the box by device makers. Relying on home users—who often forget to do something as simple as change the default passwords that come standard with a device—is risky behavior, security experts said.

Indeed, not only are device users and smart homes at risk, but the enterprise, too, faces new security challenges because of these insecure IoT devices, said Raphael Reich, vice president of marketing at security firm CyCognito.

“This is a reminder that cloud-based servers, DevOps platforms, and partner networks that connect to an organization but are outside the full control of IT and security teams are often blind spots that provide an open and tempting pathway to attackers,” he said in an email to Threatpost.

The latest Telnet breach reinforces the need for organizations to expand their maps of their attack surface to “expose those blind spots, or ‘shadow risk,’ and eliminate any critical attack vectors before attackers leverage them,” Reich said.

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles