40K IoT cameras worldwide stream secrets to anyone with a browser.

Hard-coded default passwords have been illegal in California since 2020, so it shouldn't be as much of an issue with newer devices. Companies aren't going to make California-specific versions of their devices, so they'll often just follow the California standards everywhere.

To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.

I still wouldn't ever expose a camera directly to the internet. Keep it just on your LAN (eg using a VLAN) and VPN in (eg using Tailscale) to connect to it remotely.

What this is talking about is not really about the brand or model, its just about them being misconfigured. These cameras were exposed to the internet with either default credentials or no authentication.

Theres very few good reasons to expose a camera to the internet at all, just access it over a VPN. If for some reason someone really needs to access it over the internet (I genuinely cannot think of any), then they should put some proper authentication in front of it.