Telnet Passwords Leaked for Half a Million IoT Devices, Servers, Routers

The above photo, taken by Damian Rollison at CES 2020, features a smart faucet from Kohler with Google Assistant integration.

An anonymous hacker leaked Telnet credentials for 515,000 devices, including routers, servers, and Internet-of-Things devices. ZDNet, which first reported on the story, called it the biggest hack to date of Telnet passwords.

The breach is particularly significant given the rapid expansion of smart or IoT devices. Given that consumers already struggle to secure basic electronic devices including laptops and smartphones, the Telnet breach indicates how much larger the security risk for personal devices may become in coming years as smart speakers, TVs, and fridges join the legion of devices open to hackers.

Reports indicate this hack was hardly the work of a coding mastermind. The hacker scanned the Web for exposed Telnet ports and then tested them for commonly used usernames and passwords.

What’s more, Telnet is an obsolete remote login protocol that points to the prevalence of preventable security issues undermining the safety of consumer devices. One expert told the media site Computing that Telnet “belongs in the museum of hilariously bad security issues.”

The corporate responsibility to protect consumer data is part of the privacy movement pushed forward this month by the enactment of the California Consumer Privacy Act. Under California’s law, the first of what is likely a number of state privacy laws to be implemented in the next few years, companies can be sued by consumers and the state attorney general for failing to take proper steps to safeguard user information.