A list of thousands of fully functional Telnet credentials was leaked online, which reportedly remained publicly exposed since 11 June. Security researchers uncovered that credentials over 1,700 IoT devices were leaked, sparking fears of hackers potentially being able to hijack thousands of home routers and smart devices and potentially create a vicious new botnet.
The list, which was first reportedly spotted by New Sky Security researcher Ankit Anubhav, included device names, IP addresses and passwords. There were over 33,000 entries on the list, which have reportedly been viewed by thousands since the list went viral on Twitter over the weekend.
GDI Foundation chairman Victor Gevers, who analysed the leaked list, told Bleeping Computer that only 1,775 credentials were still working. He also said that the list contained duplicates and actually only contained 8,233 unique IP addresses.
"There's not much new about devices standing out there with default or weak credentials," security researcher Troy Hunt, who runs the Have I Been Pwned breach notification service, told ArsTechnica. "However, a list such as we're seeing on Pastebin makes a known bad situation much worse as it trivializes the effort involved in other people connecting to them. A man and his dog can now grab a readily available list and start owning those IPs."
Meanwhile, security experts, including Gevers, are racing to inform the owners of the IoT devices affected by the leak.
"I am going to try to see if I can locate the owner. Otherwise, I will contact the ISP," Gevers told Bleeping Computer, explaining his process. "I am going through these on a per country basis. I started in Europe slowly moving toward US, and as for last, Asia. China is the biggest to check."
"I already got a few ISPs to confirm our reports and they have already taken action in Europe," the researcher said, adding, "There are devices on the list of which I never heard of. According to Gevers, this "makes the identification process much slower".
Although the identity of the individual who leaked the list remains unknown, Anubhav told ArsTechnica that the list was posted by someone who had also previously published an array of botnet source code and valid login credentials.