ZDNet today reported that a hacker published the IP addresses, usernames and passwords used to access roughly 515,000 internet-connected devices via the Telnet protocol. That information could be used to remotely control the affected products.
The leaked credentials are said to belong to servers, routers and Internet of Things devices that exposed their Telnet port to the internet. Once the hacker found those devices, they either used the manufacturer's default account credentials or correctly guessed the username/password combination that secured the devices.
ZDNet said the credentials were leaked by a distributed-denial of service (DDoS) botnet operator who collected them between October and November 2019. It's possible that some of the devices have changed IP addresses or account credentials by now. (Not that it would be hard to find their new IP address with a quick search.)
Attackers could use those credentials to gain remote access to the affected devices. That access could in turn allow the attackers to recruit the devices in botnets that would be used to conduct DDoS attacks, engage in ad fraud or assist with other schemes. Adding more than half a million devices to a botnet could be useful.
People who rely on these so-called smart devices might want to make sure their Telnet credentials are different from the manufacturer's default username/password combination, hard to guess and private. Otherwise they might find out their internet-connected toaster is doing more than just burning their bread every morning.