Hacked Routers Linger on the Internet for Years, Data Shows
Summary
Researchers using Censys Internet-scan data found several hundred Ubiquiti routers still showing hacked banners — defacements that, in many cases, date back years rather than representing recent attacks. The defaced banners trace to campaigns going back to at least 2016–2017 (for example, MF worm-related messages). Most compromises appear to result from weak or default credentials (eg. ubnt/ubnt) and the affected devices are commonly on consumer or residential ISP networks. Although the number of visibly defaced routers has decreased since about 2022, the remaining hosts highlight a persistent visibility and maintenance gap for many asset owners. The researchers did not observe clear follow-on malicious activity tied to these banners, so some infections may have been exploratory or opportunistic.
Key Points
- Censys researchers discovered several hundred Ubiquiti routers still displaying hacked/defaced banners.
- Many banners link back to campaigns from 2016–2017, indicating long-lived compromises rather than fresh attacks.
- Weak, reused or default credentials (eg. ubnt/ubnt) are the primary apparent cause of the compromises.
- Visible defacements have declined since 2022, but a non-trivial number of devices remain compromised — showing a visibility/maintenance gap.
- No obvious, consistent follow-on malicious activity was observed, suggesting some compromises may be opportunistic or experimental rather than part of an ongoing sophisticated campaign.
Context and Relevance
This finding matters because consumer and residential network gear often lacks enterprise-grade monitoring and patching, making it a persistent weak link in internet security. Long-lasting compromises increase the chance of lateral abuse, ISP reputation issues, or inclusion in broader botnets. The report underlines broader trends: credential hygiene still matters, and external scan data can reveal blindspots that owners and providers may miss for years.
Why should I read this?
Short version: if you manage home, small-business or ISP networks, this is your wake-up call. Default passwords and poor maintenance mean devices can stay hacked for years without anyone noticing. Read this to quickly grasp the scale of the visibility problem and the simple fixes (credential hygiene, monitoring, patching) that stop these stale compromises from becoming something nastier.
