A massive list of login credentials for Internet of Things products that could allow anyone to access a number of internet-connected routers and other devices have been discovered online by security researchers.

Researchers at the GDI Foundation, a nonprofit organization based in the Netherlands that works to improve internet security, came across the list of credentials dumped at a Pastebin address —a site for storing text online that can be used anonymously.

The collection of credentials, which first went online in June but has been updated numerous times since it was originally posted, contained the usernames and passwords for more than 8,233 unique IP addresses—2,174 of which were discovered to be running open telnet servers, a protocol that allows a person to remotely connect to a device.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

According to experts at the GDI Foundation, 1,774 of those active telnet services were accessible using the leaked credentials—meaning anyone who visits the Pastebin link could theoretically gain administrative access to any of the devices on active servers.

The list existed online for months with relatively few views, receiving under 1,000 hits between June and August—though it’s believed many of those visitors were people who used the credentials for malicious purposes.

The database has gained traction in the last week after Ankit Anubhav, the principal security researcher at NewSky Security tweeted a link to it in order to highlight the threat. Since then it has received more than 13,000 visits.

Internet of Things devices have been criticized for their lack of proper security protocols, including often using the same default usernames and passwords for millions of devices. That problem is borne out in the Pastebin database, which shows just 144 unique username and password combinations in the 8,233 hosts listed.

It may seem at first glance there isn’t much threat posed by a collection of login credentials for an assortment of internet-connected devices, but there are a number of ways a threat actor could use the information to compromise the owner of the device or use it in a more widespread attack.

Specifically, unsecured Internet of Things devices have become an asset to malicious actors launching distributed denial of service (DDoS) attacks. These attackers infect internet-connected devices and use them to direct huge waves of traffic at a target, taking a website or service offline or preventing others from being able to access it. These collections of zombie devices controlled by an attacker are called botnets.

Internet of Things devices were vital to building the Mirai botnet, a massive collection of compromised devices used to launch a number of massive DDoS attacks against major online targets. The botnet was used to disrupt service for more than one million Deutsche Telekom subscribers in 2016.

The Mirai botnet was also used to target Domain Name System (DNS) provider Dyn. The attack caused major internet outages for a number of web-based sites and services, including Twitter, Netflix, Spotify, Amazon, communications platform Slack, and the New York Times.