Manufacturer Foscam urges customers to update passwords.
A hacker was able to hurl abuse at a toddler by exploiting a vulnerability in a camera used as a baby monitor.
Camera manufacturer Foscam has outlined advice to secure its product after ABC News revealed a security flaw in the device when a couple from Houston, Texas, heard a voice shouting obscenities from the camera at their two-year-old.
ABC reported that Marc Gilbert and his wife, Lauren, were shocked to hear a "British or European accent" coming from the camera, which directed offensive, sexualised words at their daughter Allyson, who was asleep in bed.
The hacker could even call the daughter by her name, as it was spelled out on the walls, ABC added.
The girl is deaf, which her parents described as "something of a blessing" in such a situation.
A forum user on Foscam’s website, called jessicaj8521, posted today: "Our camera was hacked this weekend and someone was viewing, controlling the camera and talking to my young children though the camera.
"They did not get into our router or wi-fi they were able to hack into the web software online that you use to view the camera or contorl the camera. BE CAREFUL this is not an idea[l] security solution."
In April, security company Qualys uncovered a weakness in Foscam’s devices.
Qualys found various hacking methods revealed the camera’s remote monitoring access, the easiest being to trawl Foscam’s website for unique identifying codes for each customer.
It added that two in 10 Foscam cameras monitored by researchers were found to be insecure, using just ‘admin’ as a log in with no password required.
Foscam has posted security advice in light of the most recent incidents, writing on its website: "Never use the default username or password for your Foscam camera. Once your camera is fully set up we highly recommend changing both the default username and password.
"Choose a username and password that is at least 8 – 10 characters or longer. These do not have to include special characters, though recommended, but should be at least alphanumeric for the best chance at avoiding a brute force attack or an attempt at password cracking."
CBR has approached the company for comment.