When Devices Get Hacked

A fish tank hacked a casino. A robot vacuum screamed racial slurs. A $50 gadget opens any hotel room in the world. These are not hypotheticals. These are things that happened to real people because of devices marketed as "smart" and "secure."

19Incidents documented
270M+People affected
$35B+In damages & fines
1988–2025Span of vulnerabilities

Every device on this page was marketed as making life easier, safer, or more convenient. Every one of them was used to hurt the people who bought it. The pattern is always the same: a company ships a connected device, prioritises features over security, and real people pay the price. The fish tank was just the beginning.

2025 — It keeps happening
2025 Grow lights

A grow light exposed 2.7 billion records — including your Wi-Fi password

Mars Hydro IoT grow lights stored 2.7 billion records in an unprotected database — no password, no encryption, nothing. The data included Wi-Fi network names and passwords, IP addresses, device IDs, and API tokens. Your home network credentials, in a database anyone could find, because a grow light company forgot to set a password.
Why this is the new fish tank

In 2017, a fish tank thermometer hacked a casino. In 2025, a grow light exposed your Wi-Fi password. The devices get dumber. The consequences get worse.

View full investigation →
2025 Android TV boxes

10 million streaming boxes came pre-infected with malware from the factory

BadBox 2.0: cheap Android TV boxes, tablets, and digital picture frames sold on Amazon, Temu, and AliExpress arrived with malware pre-installed in the firmware. 10 million devices across 222 countries, turned into criminal proxies for ad fraud, DDoS attacks, and stealing two-factor codes. The malware survives factory resets. The FBI issued a warning. Google sued. The devices are still for sale.
What happened to real people

People bought a $30 streaming box. It was already compromised before they plugged it in. Their home networks became criminal infrastructure. Factory reset doesn't help.

View full investigation →
2025 Smart cameras

TAPOcalypse: every Tapo C200 camera shares the same SSL key

Researcher Simone Margaritelli disclosed 16 vulnerabilities in TP-Link Tapo cameras, including a hardcoded SSL private key shared across every Tapo C200 ever manufactured. An attacker on your Wi-Fi can hijack any Tapo camera and watch the video feed. 25,000 devices found exposed online. TP-Link took 150 days to issue an advisory.
What happened to real people

One SSL key for millions of cameras. One attacker, millions of living rooms. The researcher named it TAPOcalypse. The name was generous.

View full investigation →
2025 Smart padlock

Master Lock’s smart padlock leaks the unlock code and can’t be audited

USENIX WOOT 2025 researchers found Master Lock smart padlocks leak the primary unlock code to guest users via the API — and guests retain access even after revocation. The anti-theft PIN is stored in plaintext. Attackers can forge audit events and suppress real ones. The company that defined "lock" made a digital one that is less secure than a $5 combination padlock from 1970.
What happened to real people

Anyone you ever shared guest access with still has your unlock code. The audit log can be forged. You cannot prove who opened it or when.

View full investigation →
2024
2024 Robot vacuum

Robot vacuums hijacked to scream racial slurs at families

Families across US cities reported their Ecovacs Deebot X2 Omni vacuums being taken over by hackers. A lawyer in Minnesota was watching TV when his vacuum started screaming racial slurs and chasing his dog around the house. The attacker could see through the camera, drive the robot, and yell through the speaker — all through a Bluetooth vulnerability exploitable from 100 metres away.
What happened to real people

Children and pets terrorised by a household appliance turned weapon. Families felt violated in their own homes. Ecovacs initially downplayed the reports.

View full investigation →
2024 Hotel locks

$50 master key opens 3 million hotel rooms worldwide

Researchers disclosed "Unsaflok" — a vulnerability in Dormakaba Saflok hotel locks affecting 3 million doors across 13,000 properties in 131 countries. Using $50 of off-the-shelf hardware, they could create a master key for any Saflok hotel. Marriott, Hyatt, IHG, Wyndham — all affected. The vulnerability had existed since 1988. Eighteen months after disclosure, only 36% of locks were patched.
What happened to real people

Every hotel guest with a Saflok lock has been sleeping behind a door that could be opened with a $50 gadget. For 36 years.

View full investigation →
2024 Robot dog

Chinese robot dog has a backdoor that lets anyone watch through its eyes

Security researchers found every Unitree Go2 robot dog has a pre-installed remote access tunnel connecting to servers in China. Through this tunnel, Unitree — or anyone who hacks them — can access the robot's cameras, microphone, and movement controls. The tunnel is active by default and cannot be disabled. API keys transmitted in plaintext. Hack one, access all.
What happened to real people

Every Unitree robot dog owner has an always-on surveillance tunnel in their home, controlled from China.

View full investigation →
2024 Home cameras

13,000 Wyze users saw inside strangers' homes

A caching bug in Wyze cameras showed 13,000 users thumbnail images and video feeds from other people's cameras. Baby nurseries. Living rooms. Bedrooms. Wyze initially said 14 people were affected, then admitted it was 13,000. This was the third major security incident in two years — after hiding a camera vulnerability for three years (2019-2022).
What happened to real people

Strangers saw inside your home because of a bug in a $30 camera. Wyze lied about the scale by 928x.

View full investigation →
2024 Security cameras

Security camera company employees used cameras to spy on women

The FTC fined Verkada $2.95 million after finding employees used the company's own cameras to spy on female coworkers, sharing images in a Slack channel called "#RawDogNation." Separately, a 2021 breach exposed 150,000 cameras at Tesla factories, hospitals, psychiatric facilities, prisons, and schools. The breach occurred through a single admin account with no MFA.
What happened to real people

Women harassed by coworkers through security cameras. Psychiatric patients filmed. Prison inmates exposed. All from one company.

View full investigation →
2023
2023 Garage door

Researcher could open any Nexx garage door in America. Nexx ghosted everyone.

Security researcher Sam Sabetan found hardcoded credentials in Nexx smart garage controllers — the same universal password in every device. He could open, close, or monitor any Nexx garage door remotely. He told Nexx. They ghosted him. He told CISA. Nexx ghosted them too. CISA issued a 9.3/10 severity advisory. Nexx has never responded to anyone.
What happened to real people

Every Nexx garage door in the world can be opened remotely, and the company that sold it has gone permanently silent.

View full investigation →
2023 Email appliance

Barracuda: "Throw your device in the trash"

Chinese hackers so deeply compromised Barracuda Email Security Gateway appliances that Barracuda told customers to physically destroy their devices. Not patch. Not reset. Not return. Throw them in the trash and buy new ones. The attackers had persistent access that survived factory resets. An unprecedented instruction in cybersecurity history.
What happened to real people

Organisations worldwide had to trash expensive hardware because the compromise was irreversible. Email contents of countless businesses were exposed.

The Classics — 2012–2017
2017 Aquarium thermometer

A fish tank hacked a casino

Attackers breached a North American casino through a smart aquarium thermometer connected to the lobby fish tank. The internet-connected thermometer was on the same network as the casino's high-roller database. The attackers used it as an entry point to exfiltrate 10GB of data to a server in Finland. Reported by Darktrace CEO Nicole Eagan at a Wall Street Journal CEO Council event.
Why this matters

The most expensive fish tank in history. A $50 thermometer became the door to a database worth millions. The fish were fine. The high rollers were not.

2016 IoT cameras & routers

Mirai: half the internet went down because of cheap webcams

The Mirai botnet enslaved hundreds of thousands of IoT devices — security cameras, DVRs, and routers with default passwords — into a massive DDoS weapon. On October 21, 2016, it attacked Dyn DNS and knocked out Twitter, Netflix, Reddit, Spotify, GitHub, CNN, and the New York Times simultaneously. The devices had shipped with passwords like "admin/admin" and "root/root" that most owners never changed.
What happened to real people

Half the internet went down because millions of $20 cameras shipped with "admin/admin." The largest DDoS attack in history, powered by baby monitors and security cameras.

2015 Vehicle

Hackers took control of a Jeep at 70mph on a highway

Security researchers Charlie Miller and Chris Valasek remotely controlled a Jeep Cherokee while a Wired journalist drove it on a highway at 70mph. They disabled the brakes, killed the engine, and took over steering — all through the UConnect infotainment system. Chrysler recalled 1.4 million vehicles. The researchers demonstrated that connected cars could be lethal weapons.
What happened to real people

A journalist lost control of his vehicle on a public highway. 1.4 million vehicles recalled. The first proof that a hacker could kill someone through a car's internet connection.

2015 Children's tablet

6.4 million children's photos and chat logs leaked from a toy company

VTech's Learning Lodge database was breached, exposing 6.4 million children's names, dates of birth, genders, photos, and parent-child chat logs. The attacker found no encryption, MD5 password hashing, and SQL injection vulnerabilities. VTech's response? Update the terms of service to say data theft was the customer's risk to accept. The FTC fined them $650,000 — about ten cents per child.
What happened to real people

Children's photos and private messages with their parents appeared on the internet. The photos are still out there. The children are now teenagers.

View full investigation →
2013 HVAC system

Target: 40 million credit cards stolen through the air conditioning

Attackers breached Target by first compromising Fazio Mechanical, a small HVAC vendor with network access for billing and project management. From the HVAC vendor's credentials, attackers pivoted to Target's point-of-sale systems and stole 40 million credit card numbers and personal data of 70 million customers. Target paid $18.5 million in settlements. The CIO and CEO both resigned.
What happened to real people

40 million people's credit cards compromised. Fraudulent charges. Card replacements. The second-largest retail breach in US history, started by a heating contractor.

2013 IP cameras

Baby monitors livestreamed to the internet. No password required.

The FTC's first-ever IoT enforcement action targeted TRENDnet, whose "SecurView" cameras had a firmware bug making live video feeds publicly accessible — no password needed. 700+ cameras exposed: baby monitors, bedrooms, living rooms. The feeds were indexed by search engines and shared on message boards. The product had "Secure" in its name.
What happened to real people

Strangers watched families through their own cameras. Baby cribs livestreamed. Bedrooms exposed. A website called Insecam later aggregated 73,000 similar cameras.

View full investigation →
The Pattern

Every incident on this page follows the same script. The device, the industry, and the year change. The pattern never does.

1. Ship fast, patch later

Security is expensive. Features sell devices. Every product on this page shipped with known or discoverable security flaws because fixing them would have delayed launch or increased cost.

2. The network is flat

The fish tank and the casino database were on the same network. The HVAC vendor had access to Target's payment systems. Connected devices are only as secure as the weakest thing on the network.

3. End-of-life means end-of-security

Wemo, D-Link, Nexx — when a company decides a product is "end of life," security patches stop. The device stays plugged in. The vulnerabilities stay open. Forever.

4. Default credentials are universal keys

Mirai used 61 default username/password pairs to enslave hundreds of thousands of devices. Nexx used one hardcoded password for every device. Convenience for the user is convenience for the attacker.

5. The company disappears

Nexx ghosted CISA. VTech blamed the customer. Dormakaba took 18 months. When the breach happens, the company that sold you "smart" and "secure" is nowhere to be found.

6. You can't un-breach a face

Camera footage, children's photos, biometric data — once leaked, there is no password reset. The data exists forever. The harm compounds over time. The "convenience" of connected cameras creates irreversible exposure.