Polish Water Plants Hacked via Default Passwords; US Utilities at Similar Risk

Breaking: Hackers Breach Five Polish Water Treatment Plants Using Default Passwords

In a stark security failure, cyberattackers gained unauthorized access to industrial control systems at five Polish water treatment plants in early 2025, according to officials. The intruders exploited weak, factory-default passwords to take control of pumps, filters, and chemical dosing equipment—potentially altering what flows from residential taps.

While no contamination incidents have been reported, experts warn the breach could have allowed attackers to modify water chemistry or disrupt supply. “The fact that default credentials were still in place is a catastrophic oversight,” said Dr. Elena Kowalski, a cybersecurity researcher at Warsaw University of Technology. “These were not sophisticated attacks—they were open doors.”

70% of US Water Utilities Fail the Same Security Test

Alarmingly, a parallel study released this week reveals that 70% of American water utilities have not changed default passwords on critical control systems. The finding suggests the US water sector faces the same vulnerabilities exploited in Poland. “This is a systemic failure across the industry,” commented Marcus Reed, former director of cybersecurity at the Environmental Protection Agency. “We are one default password away from a major public health crisis.”

US water authorities now urge immediate password audits and multi-factor authentication implementation. Read background on the attack vector.

Background: How Default Passwords Became a National Security Risk

Default passwords—often simple strings like admin or 1234—are factory settings rarely changed by operators. For years, cybersecurity experts have warned that industrial control systems (ICS) in critical infrastructure remain exposed due to outdated credential management. The Polish breach highlights this ongoing problem.

In the five targeted plants, attackers used publicly available default credential lists to log into remote access portals. From there, they could adjust chemical dosages, valve positions, and pump speeds. Similar attacks have been documented globally: in 2021, a Florida water treatment plant suffered an attempted poisoning via remote access. However, the scale of the Polish incident—multiple plants hit simultaneously—marks a dangerous escalation.

What This Means: Public Health at Risk, Regulatory Demands Grow

The breach underscores a critical vulnerability in water infrastructure. If attackers had chosen to contaminate supplies, thousands of residents could have faced illness or death. “We’re lucky this was a wake-up call, not a catastrophe,” said Agnieszka Nowak, deputy minister for water security in Poland. “But we cannot rely on luck.”

Experts now call for mandatory password policies and regular cybersecurity audits for utilities. In the US, the America’s Water Infrastructure Act of 2018 required risk assessments, but compliance has been uneven. The Polish incident may accelerate federal rulemaking. “Regulations need teeth—fines for non-compliance and deadlines for fixing defaults,” argued Reed.

For citizens, the advice is limited: utilities rarely disclose cyber incidents in real time. However, consumers can ask local water providers about their cybersecurity practices, and advocate for transparency legislation. “The bottom line is that water safety depends on login hygiene,” added Kowalski.

Immediate Steps and Industry Response

Poland’s cyber defense team has secured all five plants, and investigations are ongoing. Meanwhile, the European Union’s cybersecurity agency (ENISA) is drafting updated guidelines for critical infrastructure water systems. In the US, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency alert urging utilities to scan for default passwords.

“Default passwords are the easiest exploit to fix—and the most ignored,” said Reed. “If this doesn’t prompt change, nothing will.”