Hacker Exposes Credentials for over 500,000 Internet-connected Devices

• The devices on the published Telnet list were from all over the world.
• It is not known how many of these credentials are still valid.

A hacker reportedly published a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT devices on an online forum. These types of lists—called ‘bot lists’—are a common component of an IoT botnet operation.

What is Telnet?

Telnet is a communication service protocol that helps a user in controlling a remotely connected device over the TCP/IP network.

Findings by experts

The list was compiled by scanning the entire internet for connected devices with exposed Telnet ports.

• To prepare the list, the hacker likely used two methods; using factory-set default usernames and passwords; and attempting easy-to-guess password combinations.
• The devices on the Telnet list were from all over the world, which included each device's IP address and username/ password for the Telnet service.
• While a few of them were based on home networks, most of them were based on reputed cloud service providers.

Experts, who also spoke to the hacker, revealed that he was previously a maintainer of a DDoS-for-hire service. After being questioned on why he published the list, the hacker said he upgraded his DDoS service from working on top of IoT botnets to a new model that relies on renting high-output servers from cloud service providers.

The ongoing dialogue

As per various reports, the leaked list has data from October-November 2019. It is not known how many of these credentials are still valid. Some of these devices are expected to be now running on a different IP address, or using different login credentials. Despite that, experts believe the lists remain incredibly useful for a skilled attacker.

Final analysis

Misconfigured devices are often clustered on the network of one single ISP. It happens due to misconfiguration of the devices by the ISP staff while deploying them to their respective customer bases. An attacker can use the IP addresses included in the leaked lists to determine the service provider and then re-scan the ISP's network to update the list with the latest IP addresses.