150,000 Cameras Got Hacked Because of One Password. Is Yours Next?

In March 2021, a group of security researchers accessed the cloud platform of Verkada, a major cloud-based surveillance company. They didn't use a sophisticated exploit. They didn't write custom malware. They found super admin credentials that had been publicly exposed online, typed them in, and gained access to more than 150,000 live camera feeds.

Those cameras were inside hospitals. Inside schools. Inside police departments and federal prisons. Inside manufacturing plants belonging to some of the largest companies in the world. One password, never changed, on a system where nearly every employee had been given the highest level of administrative access.

The result: 97 customer organizations confirmed compromised. Over 4,500 individual cameras accessed. Video archives downloaded. Facial recognition searches run across five separate organizations without authorization.

When a security camera gets hacked, the system that was supposed to protect a building becomes a window into it. And the Verkada breach wasn't the last time it happened. It was just the one that made the architecture problem impossible to ignore.

The Pattern Keeps Repeating

Verkada was not an isolated incident. The pattern of camera systems being compromised through architectural and credential failures has continued across the industry.

Ring (Amazon). In 2023, the FTC filed a complaint against Ring for failing to restrict employee and contractor access to customer video feeds. One employee had viewed thousands of recordings of female users in private spaces over a period of months. The company had failed to implement basic multi-factor authentication for internal systems. Ring also used customer video to train algorithms without consent. The FTC order required Ring to pay $5.8 million, with more than $5.6 million distributed as refunds to over 117,000 customers.

Hikvision and Dahua. The threat from Chinese-manufactured cameras extends beyond data privacy concerns into active military exploitation. In 2025, cybersecurity researchers documented Iranian state-linked hackers (IRGC) actively exploiting known vulnerabilities in Hikvision and Dahua cameras to conduct reconnaissance ahead of physical military operations. In June 2025, operatives compromised CCTV servers in Jerusalem days before missile attacks, using live camera feeds to assess targets. Honeypot logs recorded thousands of exploit attempts against Hikvision cameras in September 2025 alone. The vulnerabilities being exploited, including CVE-2021-36260 and CVE-2025-34067, allow remote code execution, credential extraction, and lateral movement into connected networks. Hikvision and Dahua are already banned from U.S. government use under the National Defense Authorization Act.

Can security cameras be hacked? The documented record is clear. They can be, they have been, and the consequences range from privacy violations to national security threats.

Why Cloud-Only Systems Create the Largest Attack Surface

The Verkada breach exposed a structural problem with fully cloud-dependent camera architectures.

When every customer's footage flows through a single cloud platform, one compromised credential can expose every camera on the network. That is what happened. One login provided access to 150,000 cameras across dozens of organizations. The architecture centralized risk in a way that made a single point of failure catastrophic.

This is not an argument that cloud technology is inherently bad. Cloud infrastructure offers real advantages: automatic updates, remote accessibility, geographic redundancy. But when a camera system stores all footage on a provider's servers, your security depends entirely on that provider's practices. Their credential policies. Their access controls. Their employee vetting. Their network segmentation.

The Verkada breach revealed that the provider had given super admin access to what IPVM, an independent surveillance industry publication, described as "basically every team member." The provider had failed to enforce unique or complex passwords. Operated an insecure, internet-exposed customer support server. And failed to adequately encrypt customer data. The FTC subsequently took action for these failures.

None of those failures were visible to the customers whose cameras were compromised.

An on-premise system with a network video recorder stores footage locally. If one organization's NVR is compromised, it does not expose any other organization's footage. The attack surface is isolated by design. For a deeper analysis of the architectural differences between cloud and on-premise security, see our comparison of cloud vs on-premise camera systems.

Request a Security Architecture Review

What "Unhackable" Actually Means

No camera system is truly unhackable. Any connected device carries some level of risk. But architecture decisions create orders-of-magnitude differences in how much risk your system carries and how far a compromise can spread.

Here is what separates a camera system with a narrow attack surface from one with a wide-open door:

On-premise storage. Local NVR recording means your footage never leaves your network. No cloud provider stores it. No centralized platform aggregates it with footage from thousands of other organizations. A compromise of your NVR affects your cameras. Nobody else's.

Forced unique credentials. Systems that require unique passwords at setup and disable default accounts close the most common attack vector. The Verkada breach and multiple Hikvision CVEs trace directly back to default or shared credentials.

Network segmentation. Cameras should operate on a separate VLAN from your business network. If a camera is compromised, segmentation prevents lateral movement to computers, servers, and sensitive data. This is a network configuration step, not a product feature, but the camera system must support it.

NDAA-compliant, American-made hardware. Hikvision and Dahua cameras carry documented backdoor vulnerabilities actively exploited by nation-state actors. American-made cameras from trusted supply chains eliminate this specific risk category entirely.

Encrypted video transmission. Footage should be encrypted both in transit (between camera and recorder) and at rest (on the NVR storage). Unencrypted video streams on a local network can be intercepted by anyone with network access.

Manufacturer firmware updates. Regular firmware updates patch known vulnerabilities. Systems that depend on a cloud provider for updates are at the mercy of that provider's release schedule. Systems with direct manufacturer firmware support allow the owner to control when and how updates are applied.

Can wired security cameras be hacked? Wired systems are inherently more secure than wireless because they don't broadcast a signal that can be intercepted over the air. But "wired" does not mean "immune." Credential management, network segmentation, and firmware discipline still matter regardless of connection type.

Signs Your Camera System May Be Compromised

If you already have a camera system in place, these are the indicators that warrant immediate investigation:

Unexpected camera behavior. Cameras moving on their own, changing angle, or adjusting zoom without operator input. Pan-tilt-zoom cameras are particularly susceptible to this if admin credentials have been compromised.

Unfamiliar accounts in the admin portal. Log into your camera system's management interface and check the user list. Any account you don't recognize should be treated as a compromise indicator.

Unusual data usage. A security camera system has predictable bandwidth patterns. A sudden spike in outbound data may indicate that footage is being exfiltrated.

Default credentials still active. If your system shipped with "admin/admin" or "admin/12345" and those credentials still work, your cameras are discoverable and accessible to anyone running a basic network scan.

Firmware not updated in 12 or more months. Known vulnerabilities accumulate. Every month without a firmware update is a month where publicly documented exploits remain unpatched.

Cameras accessible on default ports. If your cameras respond on standard ports (80, 443, 554) without any port customization, they are easier to discover in automated scans.

If any of these conditions exist on your system, the immediate steps are: change all passwords, remove unknown accounts, update firmware, segment cameras onto a dedicated network VLAN, and review access logs for unauthorized activity.

How to Choose a Camera System That's Actually Secure

Every breach in this article traces back to one or more of the same root causes: default credentials, centralized cloud storage, imported hardware with known vulnerabilities, and insufficient access controls. The buying criteria that prevent those failures are specific and measurable:

On-premise or hybrid storage. Not cloud-only. Local NVR recording eliminates the single-point-of-failure risk demonstrated by the Verkada breach. Secure remote access is possible without putting all footage on a third-party server.

American-made, NDAA-compliant hardware. This is not a marketing preference. It is a documented risk reduction. Hikvision and Dahua cameras have active CVEs being exploited by nation-state actors today. Removing them from your network eliminates a verified attack vector.

No default passwords. The system should force unique credential creation at setup and support multi-factor authentication for admin access. If it ships with a universal default password, it was designed for convenience, not security.

Encrypted video, in transit and at rest. Both the feed between camera and recorder and the stored footage on the NVR should be encrypted. This protects against both network interception and physical theft of the recorder.

No subscription required for core functionality. Security cameras without monthly fees use local storage, which also means your footage is not sitting on a cloud server you don't control. The subscription model is not just a cost issue. It is a security architecture decision. For more on choosing a system for your business, see our small business security camera guide.

Regular firmware updates from the manufacturer. Not from a cloud provider. Not on a schedule you can't control. Direct access to manufacturer firmware patches ensures you can respond to newly disclosed vulnerabilities on your own timeline.

Your Camera System Should Not Be a Vulnerability

150,000 cameras compromised through one password. Employee surveillance of customers. Nation-state actors using hacked cameras to plan physical attacks. This is the documented record of what happens when camera systems are designed around convenience and cost rather than security architecture.

The system protecting your building should not itself be the weakest point in your network. The architecture decisions made when selecting and deploying that system determine whether your cameras are working for you or have become a liability.

Iron Gate Technologies builds camera systems on an architecture designed to minimize attack surface: on-premise storage, American-made NDAA-compliant hardware, encrypted video, no cloud dependency, and no subscription model. Security cameras that are built to protect, not to expose.

Contact Iron Gate Technologies to discuss a camera system built for actual security.