This should go without saying, it takes less than 5 minutes to change a login from its default admin/admin.
SCADACore conducted a survey of 255 sites that were used by a common Internet provider for Public IP modems in the field. We found that of the 255 sites, 10 of them still had their default password associated with it.
With a default password to the admin tools, a malicious user would have full control of your system. They could shut down your modem, access your devices, use your modem as a proxy or spam-bot and drive up usage. Recently, using your modem to purchase products or apps using SMS is happening much more often.
One particular SCADACore client (before moving to SCADACore) had $80,000 in charges on a single modem. After an investigation by the telecom company, the charges were, of course, found to be fraudulent and waived; but a less understanding provider may not have been so quick to waive the fees.