During the recent investigation into the October 2025 Louvre Museum heist, it was revealed that parts of the museum’s video surveillance network were protected by the default password “Louvre.” Further reporting indicated that sections of the system operated on Windows Server 2003 and relied on outdated surveillance management software. These findings point to long-term neglect of basic cybersecurity practices – specifically, the continued use of obsolete systems and weak authentication measures.
Such oversights significantly increase exposure to unauthorized acc…
During the recent investigation into the October 2025 Louvre Museum heist, it was revealed that parts of the museum’s video surveillance network were protected by the default password “Louvre.” Further reporting indicated that sections of the system operated on Windows Server 2003 and relied on outdated surveillance management software. These findings point to long-term neglect of basic cybersecurity practices – specifically, the continued use of obsolete systems and weak authentication measures.
Such oversights significantly increase exposure to unauthorized access and data compromise. In many cases, large-scale breaches have started from simple oversights: unpatched systems, missing two-factor authentication, or weak passwords. This article reviews major incidents caused by these failures and outlines practical steps to avoid becoming the next Louvre.
Outdated or unpatched software
At the beginning of 2024, Deutsche Bahn, Germany’s national railway carrier, searched for an administrator to support Windows 3.11 systems. Many companies are still using systems and software outdated decades ago. Such outdated software may contain unpatched vulnerabilities, including third-party libraries and components with known vulnerabilities patched in later builds. This, of course, leads to problems.
For example, the Equifax breach in 2017 was enabled by a known, patchable vulnerability in the Apache Struts framework (CVE-2017-5638). Attackers exploited the unpatched web component to run arbitrary commands on Equifax systems and steal personal data for roughly 143 million U.S. consumers; a patch had been long available before the intrusion but never installed. (nvd.nist.gov)
WannaCry (May 2017) is an example of how unpatched operating systems can propagate damage at scale. The worm used the EternalBlue SMB exploit against Windows systems that had not applied Microsoft’s security updates, encrypting files and disrupting hospitals, manufacturers and service providers worldwide. The incident illustrates how a single, unpatched OS vulnerability can become a global outage. (cloudflare.com)
Back to Louvre: investigators reported parts of the museum’s surveillance estate running on Windows Server 2003, an OS that reached end-of-life over a decade ago and no longer receives security fixes. Running unsupported server software creates exactly the same exposure as the Equifax and WannaCry cases: known weaknesses cannot be patched, and attackers will look for them.
Takeaway: old software is not merely legacy tech — it is an unmonitored attack surface. Patch promptly, and replace platforms that no longer receive vendor security updates.
Missing two-factor authentication
We’ve been strong proponents for two-factor authentication, even if the tech gets in the way of our own work. Still, two-factor authentication is absolutely crucial for securing access, as is clearly demonstrated by the following cases.
The Colonial Pipeline ransomware incident (May 2021) demonstrates the impact of single-factor access control. The initial access vector involved a compromised VPN account; because multi-factor authentication was not enforced for that account, the attackers were able to use the credential to access critical systems and deploy ransomware, causing a multi-day fuel distribution disruption. (CISA)
In the 2020 Twitter takeover, attackers used social engineering and targeted internal tools to post cryptocurrency scams from high-profile accounts; several high-privilege steps were possible because some internal access paths lacked adequate second-factor protections and administrative controls. “For several hours, the world watched while the Hackers carried out a public cyberattack, by seizing one high-profile account after another and tweeting out a “double your bitcoin” scam”, according to the New York State Department of Financial Services report. Post-incident reviews revealed that stronger authentication and tighter admin account controls would have limited the scope of the breach if not prevented it altogether.
It’s a sad reality: many remote access systems, VPNs, cloud admin consoles and SaaS management panels still allow or default to password-only logins. Where multi-factor authentication is optional rather than mandatory, a stolen or phished password remains sufficient to gain entry.
Takeaway: enforce MFA for all administrative and remote access accounts; treat MFA as mandatory for any service that can affect data, finances, operations or safety.
Weak or default passwords
Weak or default passwords remain one of the most persistent and preventable cybersecurity failures. Though they occasionally simplify the job of forensic password recovery, on a global scale, default credentials lead to catastrophic breaches every year, most of which never make it to the press.
For example, the Mirai botnet (2016) exploited factory default and weak credentials on IoT devices (routers, DVRs, cameras). Automated scans logged into devices using credentials such as admin/admin or root/123456, recruited them into botnets, and then launched high-volume DDoS attacks against major targets. The breach, of course, was driven by unchanged vendor defaults. (research.google.com)
Back in 2019, we reported a vulnerability in Synology NAS devices: the encryption feature for file-shares used a single fixed, pre-programmed passphrase (wrapping passphrase) across all units rather than a unique strong key per device (as was originally claimed by the manufacturer). In practice, this meant that if an attacker obtained access to the device’s stored key file (for which just the disk/volume was enough), they could unwrap and decrypt encrypted volumes without cracking a user-set password. (Elcomsoft).
In 2021, attackers gained access to tens of thousands of security cameras via a cloud provider and exposed feeds from hospitals, prisons, offices and schools. The attack was reportedly unsophisticated, involving use of a “super admin” account to gain access to Verkada. The Verkada incident showed how exposed admin credentials and insufficiently restricted super-admin access to camera telemetry can produce widespread privacy and safety impacts. (Bloomberg)
The problem still persists: CCTV systems in India and other countries have been compromised using simple credentials such as admin123, and whole building-access or elevator controllers have been exposed by single default passwords. An IBM survey found that a large majority of router administrators have never changed the factory admin password, quantifying how widespread this basic failure is. (www.ndtv.com)
Takeaway: check each and every internet-connected device; change factory credentials and replace products that do not support secure authentication. Weak or default passwords are trivial for automated attackers to find, remaining one of the most common initial access vectors.
Legislation on default passwords in new devices
Governments are increasingly recognizing that weak or default passwords are not just a user issue but a design flaw. New laws now place responsibility on manufacturers to ensure that devices ship with secure authentication and cannot be accessed with shared, factory-set credentials.
**California, USA **California’s IoT Security Law (SB-327), effective since 2020, was the first in the world to set this precedent. It obliges device makers to either assign unique passwords per unit or require users to change credentials during setup. The measure targets exactly the type of default logins that powered botnets like Mirai.
**European Union **The EU’s Cyber Resilience Act (CRA), adopted in 2024, establishes baseline cybersecurity requirements for all network-connected products. It reinforces the principle that devices must not include universal default passwords and must allow users to set strong credentials on first use. This aligns with the earlier ETSI EN 303 645 IoT security standard, which explicitly bans shared or hard-coded passwords and became the practical baseline for consumer IoT compliance across Europe. Enforcement since mid-2024.
**United Kingdom **The Product Security and Telecommunications Infrastructure (PSTI) Act 2022, in force from April 2024, requires manufacturers to eliminate “easily guessable” default passwords such as admin or 12345. Devices must either generate unique credentials or prompt users to set a password before first use. The law also mandates transparency about update timelines and vulnerability reporting. Penalties can reach £10 million or 4% of global turnover.
**Other regions **Oregon introduced a similar framework soon after California. In Asia, countries such as Japan and Singapore have issued IoT security guidelines recommending unique passwords and secure-by-default design, though enforcement remains limited. China’s and India’s cybersecurity rules currently emphasize data protection more than device authentication, but regulatory attention is increasing.
Across jurisdictions, the direction is clear: unique or user-set credentials are becoming mandatory, while shared default passwords are being banned outright. Manufacturers, not end-users, are now accountable for baseline security. Slowly, major jurisdictions are pushing manufacturers from voluntary best practices to enforceable standards, attempting to close one of the oldest and most preventable gaps in digital security.
Conclusion
Outdated software and missing multi-factor authentication remain two of the most common causes of preventable breaches. Systems that no longer receive updates are unguarded, while single-factor logins make stolen credentials enough to gain access. The fix is simple: keep systems updated and enable a second verification step for any account that matters.
Weak or default passwords continue to undermine even well-designed systems. Every connected device, from routers to cameras, should be checked for unchanged factory credentials. Replace them with strong, unique passwords and store them in a password manager. It takes only minutes to remove one of the easiest ways for attackers to break in.
Cybersecurity isn’t about paranoia; it’s about hygiene. The Louvre’s default password might make headlines today, but behind every “Louvre” there’s a lesson: security lapses start small and end big. Start your essential security hygiene audit today: patch, enforce MFA, and eliminate default credentials. Don’t be a Louvre.
Addendum
We compiled a partial list of incidents involving weak passwords and outdated software.
| # | Incident (year) | Summary | Root cause | Source |
|---|---|---|---|---|
| 1 | Mirai botnet (2016) | Mirai scanned for IoT devices using factory/default credentials (e.g., admin:admin, root:123456), enslaved hundreds of thousands of devices and powered massive DDoS attacks (Krebs, Dyn, OVH, etc.). | Default passwords on IoT. | (Wikipedia) |
| 2 | Verkada camera breach (Mar 2021) | Attackers obtained internal/admin credentials and accessed live feeds from ~150,000 cameras across hospitals, prisons, schools and companies — footage & sensitive data were downloaded. Compromise pivoted on exposed admin credentials in vendor tooling. | Exposed admin credentials / insufficient credential protection. | (Axios) |
| 3 | Equifax (2017) | While the main breach exploited an unpatched Apache Struts flaw, later filings and reporting revealed some internal portals used default/weak creds (e.g., allegations of admin/admin), showing credential hygiene problems. | Default/weak internal credentials (contributed to risk). | (computing.co.uk) |
| 4 | Enterphone door access systems (2024/2025 disclosure) | Researcher found dozens of apartment/office buildings whose door/elevator control panels still used the vendor’s default password — enabling remote access to physical entry controls. Vendor later issued a patch requiring password change. | Default password on physical access control. | ([TechCrunch](https://techcrunch.com/2025/02/24/a-single-default-password-exposes-access-to-dozens-of-apartment-buildings/ “A single default password exposes access to dozens of apartment buildings |
| 5 | Rajkot maternity hospital / Indian CCTV leaks (reported 2024–2025) | Multiple CCTV dashboards (including a maternity hospital) used default/weak credentials (admin123 etc.), enabling attackers to access and leak sensitive video footage. | Default/weak CCTV passwords. | (Pune Mirror) |
| 6 | VOIP-based botnet attacking routers (ongoing reporting) | Reports of a VOIP-targeting botnet that compromises routers configured with default or weak passwords to recruit them into attack infrastructure. | Default/weak router credentials. | (Cyber Security News) |
| 7 | Brother printers bug (689 models) – default admin password exposure (2024/2025 disclosure) | A vulnerability / configuration issue across hundreds of Brother models exposed default admin access (serial-number-derived or predictable admin credentials), letting attackers access printers and internal networks. | Default / serial-derived admin passwords. | (BleepingComputer) |
| 8 | Sitecore XP – hard-coded password ‘b’ (June 2025) | Researchers found a hard-coded password in Sitecore XP that could be abused to achieve remote code execution in some enterprise deployments — a classic case of a built-in credential creating remote compromise paths. | Hard-coded password in enterprise software. | (The Hacker News) |
| 9 | SinoTrack GPS trackers (June 2025) | GPS tracking devices shipped with default credentials or easily guessed login details, allowing remote attackers to track/control vehicles — remote vehicle control and data disclosure possible. | Default credentials on fleet/GPS devices. | (The Hacker News) |
| 10 | McDonald’s AI hiring tool – password 123456 exposed (reported 2024/2025) | A misconfigured / weak password (123456) on an AI hiring tool/application exposed data on millions of applicants (reported ~64M), demonstrating risk when app/tool creds are trivial. | Weak password on HR/app tool. | ([CSO Online](https://www.csoonline.com/article/4020919/mcdonalds-ai-hiring-tools-password-123456-exposes-data-of-64m-applicants.html “McDonald’s AI hiring tool’s password ‘123456’ exposed data of 64M applicants |
| 11 | LogicMonitor incident (2023) | LogicMonitor reportedly issued weak default passwords like Welcome@ + short number for customers; attackers used those weak/default credentials to access customer monitoring accounts — customers reported follow-on compromises. | Weak/default vendor-assigned passwords. | (TechCrunch) |
| 12 | CloudPets smart-toy exposure (2017) | Company left a poorly secured database and weak/absent password protections for user accounts; voice messages and user accounts of hundreds of thousands were exposed. | Weak auth / poor credential practices. | (theguardian.com) |
| 13 | Hangzhou Xiongmai / camera recalls after Mirai (2016 aftermath) | Major camera vendors recalled millions of devices after Mirai-era findings: many cameras shipped with default/root passwords and insecure firmware — these unchanged defaults were central to mass infection. | Factory default credentials on millions of cameras. | (WIRED) |
| 14 | Various industrial / infrastructure incidents (e.g., water facility reports) | Multiple advisories and news reports highlight controllers, PLCs and water-system interfaces left with default or trivial passwords (e.g., 1111), creating paths for interference with critical infrastructure. | Default/trivial passwords on ICS/OT equipment. | (Network-King) |
| 15 | Generic IoT / CCTV surveys and research | Numerous scans and studies repeatedly find that a large share of IoT/CCTV/embedded devices are left with factory defaults or easily guessed passwords — enabling scraping, spying, botnets and access to physical spaces. | Widespread unchanged default passwords. | (cloudflare.com) |