Cyber security threats are continuing to get smarter and more automated. Yet, one of the simplest security measures: changing factory-set and default passwords, remains widely neglected. These pre-configured credentials, such as “admin” or “123456,” are intended for initial setup only, but many businesses leave them unchanged. This oversight creates an open door for cyber criminals to infiltrate networks, compromise sensitive data and even hijack physical security systems like office cameras.
Recent studies reveal the scale of the problem: 86% of router admin passwords have never been changed from their factory defaults. Weak or stolen passwords account for 81% of hacking-related breaches. These figures underscore how default credentials remain one of the most exploited vulnerabilities in corporate environments. Attackers don’t need sophisticated tools, they simply rely on publicly available lists of default passwords to gain administrative access.
The risk of leaving default passwords unchanged
When default passwords remain in place, attackers can easily gain privileged access to critical systems. This isn’t limited to routers; IoT devices, printers and even cloud applications often ship with hardcoded credentials. Once inside, hackers can pivot across networks, intercept traffic and deploy ransomware.
The consequences are staggering. In 2025 alone, credential theft surged by 160%, driving more than one in five data breaches globally. A single breach exposed 16 billion login credentials, including accounts from major platforms like Google and Facebook. These statistics highlight how poor password hygiene is a systemic vulnerability that can cripple businesses financially and reputationally.
Office security cameras can be a hacker’s gateway
One of the most alarming risks of unchanged factory settings is the compromise of office security cameras. Hackers have exploited vulnerabilities in popular brands like Hikvision and D-Link, often using default credentials to gain full control of devices. Once inside, attackers can view live feeds, download configuration files containing user credentials, and even use cameras as a pivot point for deeper network attacks. [forbes.com]
The implications go beyond privacy. Compromised cameras can expose sensitive data indirectly. Imagine an attacker watching employees type passwords into laptops or accessing confidential documents during meetings. This isn’t hypothetical—websites exist that aggregate hacked camera feeds, many of which were accessed simply because users failed to change default passwords. Such breaches turn physical security tools into cyber liabilities.
The business cost of weak or default passwords is enormous. The average cost of a data breach involving stolen credentials is £3.32million. Beyond financial loss, companies face regulatory penalties, reputational damage and operational downtime. Attackers increasingly automate credential-stuffing attacks, making the use out of billions of leaked passwords to breach accounts at scale. In fact, 19 billion passwords were leaked between 2024 and 2025, with 94% being reused or weak.
Changing default passwords is one of the easiest and most effective steps businesses can take to mitigate these risks, then combine this with strong password policies, multi-factor authentication and regular audits of network devices.
Cyber security isn’t just about advanced firewalls or AI-driven threat detection, it starts with basic hygiene. Don’t let a factory setting become your weakest link.
Key takeaways
- 86% of router admin passwords remain unchanged, creating easy entry points for attackers
- 81% of hacking-related breaches involve weak or stolen passwords
- Office cameras with default credentials have been actively exploited, exposing live feeds and sensitive data
- Credential theft surged 160% in 2025, with billions of passwords leaked globally