Nearly 22,000 Live Cameras With No Login Required: A Mysterium VPN Research

The surveillance industry's pitch has always been a simple one: put a camera up, and you get to see what's happening. The implicit promise is that the arrangement is one-directional, promising that the only person watching is you. If only that were always the case.

We spend a lot of time at Mysterium VPN thinking about who gets to sit in the middle of someone else's connection, and the answer we keep arriving at is that it should always be the person who consented to it. So this time, we went looking at the cameras themselves.

Using a public internet-wide device index, we conducted a passive snapshot analysis in May 2026, querying aggregate data on every camera and recorder that answers the open internet. We looked at device families, authentication status, geographic distribution, and network assignment.

What we found was more than three million internet-reachable cameras, with 21,786 of them streaming live video to anyone who pointed a browser at them, with no login, no challenge, and no warning to the person on the other side of the lens.

Key Takeaways

• 21,786 camera feeds were openly viewable with zero authentication of any kind, a floor and not a ceiling.
• More than 3 million cameras are reachable from the open internet, with the 21,786 figure counting only those that ask for nothing at all.
• Japan (19%) and the United States (17%) host the most open feeds, followed by Mexico, Taiwan, and Germany.
• Budget "HiSilicon"-class recorders were open 27% of the time and one legacy webcam app 46%, versus just 0.06% for Hikvision-branded cameras.
• The open feeds resolve overwhelmingly to residential and mobile ISP networks, meaning these are connections inside people's homes.

The Scale: Millions Reachable, Tens of Thousands Wide Open

The install base is the right place to start, because its shape explains everything that follows. Two names dominate every camera and recorder that answers the public internet: Hikvision and Dahua together account for more than three million internet-reachable devices, dwarfing every other family combined. 

Disclaimer: Data was captured in May 2026.

These are the engines of the global camera market, and their gear is everywhere. But reachable is not the privacy emergency. Most of those millions answer with a login screen.

The figure that matters is the cameras that show their video to anyone who simply points a browser at them. After de-duplication using the index's camera image category, which is 21,786 feeds open with no login whatsoever. And sure, from more than three million reachable cameras, 21,786 wide-open ones might not sound like that much, but trust me – this gap is far from reassuring.

A Login Screen Was Never a Lock

It’s tempting to read that funnel as good news: millions reachable, tens of thousands truly open, so the rest must be protected. And yet, they are not necessarily protected. For most of the internet's history, a camera's login screen was a formality because the password was printed in the manual and indexed in public directories. admin / 12345 opened almost any Hikvision, while admin / admin opened Dahua and a thousand budget recorders. A door with the key taped to the frame is not a locked door.

Naturally, this major flaw was already weaponized at a planetary scale. The 2016 Mirai botnet assembled hundreds of thousands of cameras and DVRs into one of the largest attack networks ever seen, using nothing more than a short list of hardcoded default logins. Mirai's descendants are still running today, still trying the same credentials against the same devices. 

The two giants have since changed course. Hikvision, from its 2015-era firmware onward, removed the default password entirely: a new device cannot be used until the owner completes activation and sets a unique, strong password. Dahua followed with mandatory password creation on first boot. Higher-end vendors such as Axis have long required a password to be set before first use.

Regulators eventually codified the obvious. California banned default passwords from January 2020 under SB-327, and in April 2024 the UK became the first country to outlaw universal default passwords outright under the Product Security and Telecommunications Infrastructure Act, naming cameras and baby monitors explicitly.

So the problem is solved for devices sold new, today, by the companies that complied. It is emphatically not solved for the hundreds of millions of cameras already hanging on walls. Legacy hardware that predates activation, devices reset to factory defaults, and the entire cheap, no-name end of the market still ship with or silently retain hardcoded credentials, often on firmware that will never receive a patch.

This is why 21,786 is a deliberate floor. We counted only the feeds that ask for nothing at all. We did not type a single password, default or otherwise, because doing so would be unauthorized access, the exact line this research refuses to cross. Every camera sitting behind a login that still answers to admin / admin is invisible in our headline figure. The true count a determined stranger could reach is larger, but we measured only what we could see without touching a key.

Budget Recorders Are the Exposure, Not the Big Brands

Among the feeds that are fully open, the most useful question is not how many but which ones, and the answer overturns the intuition that premium gear is riskier to leave online. When you measure the share of each device family that is wide open with no login, the brand names barely register.

Disclaimer: Data was captured in May 2026.

Hikvision-identified cameras were open just 0.06% of the time. Dahua was effectively never open, the direct dividend of those mandatory-activation policies. The exposure lives almost entirely at the cheap end. Budget "HiSilicon-class" recorders were open 27.1% of the time, and a legacy webcam application called webcamXP hit 45.6%, meaning nearly half of every device of that type that answers the internet is broadcasting to anyone who asks.

A single generic protocol accounts for the largest share of all open video: 9,746 feeds were streaming over RTSP, the standard camera-streaming protocol, with no access control at all. RTSP was designed for streaming, not for security. Without any authentication layer, it is simply an open pipe.

The Geography of Open Feeds Does Not Match the Geography of Cameras

The distribution of open camera feeds by country does not follow the distribution of cameras overall, and that mismatch is itself a finding. Markets that flood homes with inexpensive cameras dominate the install base, but the feeds people can actually watch cluster elsewhere.

Disclaimer: Data was captured in May 2026.

Japan and the United States together account for more than a third of all open feeds. Japan's high count is driven by a handful of consumer broadband providers whose customers appear disproportionately represented in the data. Smaller countries surface in ways raw population cannot explain: Moldova ranks eighth, almost entirely because of a single national ISP.

Counts reflect feeds with a confirmed country location, with roughly 2,600 additional feeds sitting in a long tail of smaller countries not shown above.

These Are People's Homes, Not Server Racks

If these feeds lived in data centers, this would be a story about sloppy corporate IT. They do not. Sorted by network, the open feeds resolve almost entirely to residential and mobile internet providers.

Disclaimer: Data was captured in May 2026.

Japan's Asahi Net, OCN, BIGLOBE, and NTT DOCOMO. Taiwan's Chunghwa Telecom. Germany's Deutsche Telekom. Verizon, Charter, and Comcast in the United States. Viettel and VNPT in Vietnam. These are the connections in people's houses and on their phones.

One entry is worth flagging separately. The block of 961 feeds attributed to Huawei Cloud MX appears to be hosted camera-gateway infrastructure rather than end-user devices, inflating both Mexico's country total and the network totals. We flag it rather than let it pass as residential. Strip that block and the numbers shift, but the story does not change.

What It Actually Means to Be Watched

An open feed is not an abstraction. It is a live window that anyone can open into a living room, a child's bedroom, a shop floor, a building lobby, or a reception desk. People have no idea it is happening, because nothing on their end signals it. The camera works exactly as expected while broadcasting to strangers in parallel. But that doesn’t make the harms any less real.

An open camera reveals when a home is empty, who lives there, and what their routine looks like, providing reconnaissance for burglary, stalking, or harassment. Feeds get aggregated, indexed, and traded. There are directories of open camera feeds that have operated for years, some of them enormous, built entirely on cameras whose owners have no idea they are listed. The person being watched is the last to know.

We located these cameras and deliberately did not look. That restraint, consent before access every time, is exactly what the people already watching these feeds do not practice.

Privacy is not the absence of cameras. It is control over who can see. The same act of routing into a feed and watching a stream is either a violation or a service depending on one thing: whether the person on the other end agreed to it.

What You Should Do

Most of this exposure is not the result of hacking but of configuration, devices left in their factory state, or cheap gear that was never designed to be secured in the first place. That distinction means the fix is in your hands, not in a patch that will likely never arrive.

Here is what to check, in priority order:

• Change the default password on your camera and your recorder. Credentials like admin / admin, admin / 12345, and 888888 are on every scanner's list. If you never set a password during setup, assume the device still has the factory default and change it before anything else.
• Turn off UPnP on your router. UPnP allows devices to automatically open ports to the internet without asking you. It is the single most common reason a camera that felt private suddenly answers the public internet. Disabling it is one router settings page away.
• Disable remote port-forwarding for your cameras unless you explicitly set it up and know why. If you are not sure whether it is enabled, assume it is.
• Disable any open RTSP stream you are not deliberately using. RTSP with no authentication is a direct broadcast to anyone who finds the address. If your camera or recorder has RTSP enabled and you did not put a password on it, the stream is accessible.
• Update the firmware. If a budget recorder has not received a firmware update in years, or ever, treat it as untrustworthy and take it off the internet. Legacy devices do not get patched, and the vulnerabilities in them are well documented.
• Prefer cameras with no inbound exposure. Look for devices that reach out to an encrypted relay rather than accepting connections from the open internet. They are harder to find from the outside because there is no open port to find.
• Put cameras on a separate network segment from your computers and phones. One exposed device should not be a doorway into everything else on your home network.

The uncomfortable truth in our data is that the major brands largely fixed this problem years ago. The cameras at 0.06% and 0.0004% exposure rates did so by making activation mandatory and removing the concept of a universal default password. The cameras at 27% and 45% never bothered.

Buying cheaper gear to save money on security cameras is, in a very direct sense, paying to be surveilled. Privacy and security on your home network are worth investing in. A camera that phones home to a manufacturer with a functioning security team, that forces a password before first use, and that receives firmware updates is worth meaningfully more than a budget recorder that does none of those things, with the gap between them visible in our data.

How We Conducted This Research

Our findings are drawn from a public internet-wide index of internet-connected devices, using a point-in-time snapshot captured in May 2026. We queried aggregate counts only.

Defining an open feed. A device was counted as an open feed when the index had captured a still frame from it without any authentication, which is a reliable proxy for "viewable by anyone." The headline figure of 21,786 is de-duplicated using the index's camera image category.

A floor, not a ceiling. We counted only feeds that stream with no login at all, and we tested no passwords. Attempting even a known factory default would be unauthorized access, which this research does not do. Cameras reachable behind a login that still accepts a default credential are excluded from the 21,786, so the figure is a conservative floor.

Install base and rates. Reachable totals count devices answering the public internet by family. Exposure rates compare the open-feed count for each family against its total reachable count. Geography and network breakdowns are computed over the open-feed set only.

Ethics: We did not look. This research is strictly passive. No camera feed was connected to, accessed, logged into, or viewed. No image data was retrieved. No credential was ever entered. Locating an exposed camera and choosing not to open it is the line between security research and abuse.

Caveats. One cloud-hosted block in Mexico appears to be camera-gateway infrastructure rather than end-user devices and is flagged throughout. Some country totals are dominated by a single ISP. Roughly 526 exposed industrial and control-system screens were observed in the same dataset and fall outside this consumer-focused study.