![When your IoT Device Logs in as Admin, It?s too Late! [Guest Diary], (Wed, Mar 11th)](https://isc.sans.edu/diaryimages/images/Adam_Thorman_pic1.jpg)
ACCORDING to Internet Storm Center, default credentials remain the most exploited vector for IoT devices, with a vulnerability assessment revealing multiple IPs accessible using these settings on a newly installed security system. Over an eight‑day window (18–25 January 2026) there were 44,269 failed connection attempts and 1,286 successful logins, a 2.9% success rate that still yielded over a thousand compromised sessions, including 621 who used the username root and 154 who used the password admin.
The data showed the password 123456 increasing from 15% to 27% and that 406 sessions shared the same HASSH fingerprint 2ec37a7cc8daf20b10e1ad6221061ca5, with 47 sessions matching all three indicators. Notably, some sessions conducted reconnaissance and attempted to modify passwords or persist SSH keys, highlighting how botnet scanning activity can exploit weak IoT credentials; on 19 January 2026 there were 14,057 failed attempts in a single day.
The piece stresses immediate credential changes and aligns with MITRE ATT&CK guidance, urging defence in depth, strong unique credentials, MFA where possible, device fingerprinting, and continuous monitoring to mitigate these risks.