A report from a cybersecurity company last week found that over 40,000 unsecured cameras—including CCTV and security cameras on public transportation, in hospitals, on internet-connected bird feeders and on ATMs—are exposed online worldwide.
Cybersecurity risk intelligence company BitSight was able to access and download content from thousands of internet-connected systems, including domestic and commercial webcams, baby monitors, office security, and pet cams. They also found content from these cameras on locations on the dark web where people share and sell access to their live feeds. “The most concerning examples found were cameras in hospitals or clinics monitoring patients, posing a significant privacy risk due to the highly sensitive nature of the footage,” said João Cruz, Principal Security Research Scientist for the team that produced the report.
The company wrote in a press release that it “doesn’t take elite hacking to access these cameras; in most cases, a regular web browser and a curious mind are all it takes, meaning that 40,000 figure is probably just the tip of the iceberg.”
Depending on the type of login protocol that the cameras were using, the researchers were able to access footage or individual real-time screenshots. Against a background of increasing surveillance by law enforcement and ICE, there is clear potential for abuse of unknowingly open cameras.
Samantha Cole
“Knowing the real number is practically impossible due to the insanely high number of camera brands and models existent in the market,” said Cruz, “each of them with different ways to check if it’s exposed and if it’s possible to get access to the live footage.”
The report outlines more obvious risks, from tracking the behavioral patterns and real-time status of when people are in their homes in order to plan a burglary, to “shoulder surfing,” or stealing data by observing someone logging in to a computer in offices. The report also found cameras in stores, gyms, laundromats, and construction sites, meaning that exposed cameras are monitoring people in their daily lives. The geographic data provided by the camera’s IP addresses, combined with commercially available facial-recognition systems, could prove dangerous for individuals working in or using those businesses.
You can find out if your camera has been exposed using a site like Shodan.io, a search engine which scans for devices connected to the internet, or by trying to access your camera from a device logged in to a different network. Users should also check the documentation provided by the manufacturer, rather than just plugging in a camera right away, to minimize vulnerabilities, and make sure that they set their own password on any IoT-connected device.
This is because many brands use default logins for their products, and these logins are easily findable online. The BitSight report didn’t try to hack into these kinds of cameras, or try to brute-force any passwords, but, “if we did so, we firmly believe that the number would be higher,” said Cruz. Older camera systems with deprecated and unmaintained software are more susceptible to being hacked in this way; one somewhat brighter spot is that these “digital ghost ships” seem to be decreasing in number as the oldest and least secure among them are replaced or fail completely.
Unsecured cameras attract hackers and malicious actors, and the risks can go beyond the embarrassing, personal, or even individual. In March this year, the hacking group Akira successfully compromised an organisation using an unsecured webcam, after a first attack attempt was effectively prevented by cybersecurity protocols. In 2024, the Ukrainian government asked citizens to turn off all broadcasting cameras, after Russian agents hacked into webcams at a condo association and a car park. They altered the direction of the cameras to point toward nearby infrastructure and used the footage in planning strikes. Ukraine blocked the operation of 10,000 internet-connected digital security cameras in order to prevent further information leaks, and a May 2025 report from the Joint Cybersecurity Advisory described continued attacks from Russian espionage units on private and municipal cameras to track materials entering Ukraine.