Hi, this morning I discovered that someone had made ~150 international phone calls from my TPG NBN Home Phone Account even though I don't even have a home phone handset connected. Digging a bit further I have since discovered that my TPG provided TP-Link Archer VR1600 v2 router has a gigantic security hole as they all have a hard-coded Super User that allows anyone to login to them remotely (provided remote Web Access is enabled, which I needed).
After about 2 seconds of googling I soon found the Super User username & pwd and sure enough, I could remotely login and have full control of the router settings & passwords, including access to all of the Telephony settings. I'm not sure yet, but I'm guessing this is how the international phone calls were made on my account. I tried to change the password for this Super User, however it does not seem to change it as I could still login using the usual Super User password.
I have now switched back to my old router as I don't trust this TP-Link thing anymore.
TPG, what are you going to do about this MASSIVE security vulnerability that I'm guessing affects a large number of your users?