top of page
Search

Data breach: 16 billion stolen logins raise the stakes for CCTV security

  • Jun 20
  • 3 min read

Why you should care.


Researchers today confirmed 30 exposed databases holding roughly 16 billion usernames and passwords, most lifted by 'infostealer' malware and covering Apple, Google, VPNs and hundreds of SaaS platforms. Although some records were public before, the bulk is new and the full trove is now trading on criminal forums.


Why you should care


  • Cameras, NVRs and cloud‑video portals often reuse staff email addresses and simple passwords that now sit in the leak.

  • Logs map each password to the service URL, so bots can hit your login pages in minutes.

  • Session cookies in the dump let attackers skip MFA where vendors still rely on web tokens.


Your priority actions

Task

Deadline

Outcome

Force password reset on every CCTV and cloud-video account

24 h

Stops credential-stuffing

Turn on app-based MFA where supported

24 h

Blocks replay of dumped logins

Close any public port-forwarding; use VPN or zero-trust gateway

7 d

Cuts direct attacks

Update firmware and delete unused services (Telnet, UPnP, P2P)

7 d

Removes known exploits

Put cameras on their own VLAN, monitor outbound traffic

14 d

Limits lateral movement

Run ICO CCTV self-assessment and keep records

30 d

Shows data-protection compliance


Step-by-step checklist


  1. Kill password reuse - immediately


    • Generate new 16-character passwords or long pass-phrases.

    • Store them in a password manager (such as '1Password'); share credentials only through the system manager.


  2. Lock down remote any access


    • Restrict admin logins to the corporate LAN or a fixed IP list.

    • Disable cloud “relay” features if the vendor allows this.


  3. Patch and harden devices


    • Apply the latest vendor firmware this week, then review monthly.

    • Remove or rename any default accounts.


  4. Segment the network


    • Place cameras on an isolated VLAN.

    • Log and alert on outbound traffic to unknown IPs.


  5. Meet the legal baseline


    • The Product Security and Telecommunications Infrastructure Act (April 2024) bans shared default passwords on UK-sold smart cameras; reject any supplier still using them.

    • Follow the ICO CCTV guidance and its self-assessment checklist for GDPR compliance.

    • Use the Surveillance Camera Code of Practice self-assessment tool to show adherence to the 12 principles.


  6. Plan for incidents


    • Download the NCSC Small Business Guide: Response & Recovery and keep a printed copy with your run-book.

    • Keep an offline backup of camera configs and a current supplier contact list.

    • Subscribe your domain to Have I Been Pwned for breach alerts.


Supplier assistance for UK CCTV managers


How to use this help


  • Subscribe today


    • Sign up to the vendor advisory lists above; route them to your ticketing system so nothing slips past.


  • Push immediate password changes


    • Run Axis Device Manager, HiTools or your vendor’s cloud console to set fresh, unique credentials on every camera and NVR.


  • Apply the newest firmware set


    • Download the latest bundle, validate hashes, and schedule rolling updates during low-traffic hours.


  • Log a PSIRT ticket if you spot abuse


    • Vendors respond faster when you quote your support contract ID and supply packet captures.


  • Ask for managed support if you lack staff


    • Axis “Secure Remote Access”, Genetec Advantage or distributor-run SOC services can monitor login abuse and block suspicious IPs for you. Many other providers also have various options to support you with this, so get on the phone and enquire.


  • Check PSTI compliance before buying


    • UK law already bans products that ship with shared default passwords, so require written confirmation from the supplier/s.



Quick questions to put to your supplier/rep this week


  1. Do you have an Multi-Factor Authentication (MFA) option for admin logins? If not, ask when might this be an option for your system?

  2. Can your bulk config tool force HTTPS and disable Telnet by default?

  3. What’s your SLA for a Common Vulnerabilities and Exposures (the global ID system that IT security teams use to track individual software or firmware flaws) rated 9.0+?

  4. Will your current licence cover auto-updates, or is an upgrade needed?

  5. Do you offer a systems hardening guide aligned to National Cyber Security Centre principles?



Most suppliers already have the apps/tooling; you may just need to activate it and then fold their cyber alerts into your routine maintenance calendar. That’s the fastest way to cut the risk from today’s credential leak.


Final word


The data breach shows that password dumps now surface faster than most patch cycles. Treat every external login as already known to attackers. Fix (stop) password reuse, apply MFA, and keep cameras behind a controlled gateway. That gives you the same protection a full system upgrade would, at a fraction of the cost.


This article was created with the assistance of AI

Comments

bottom of page