https://www.bleepingcomputer.com/news/security/botnet-authors-don-t-learn-anything-from-victims-and-secure-databases-with-root-root/

Botnet operators can be as clueless about security as their victims, according to Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security.

Anubhav told Bleeping Computer that he recently stumbled upon two databases of two distinct IoT botnets secured with the trivial username and password combination of root/root.