It may come as a surprise to some, but just unboxing your new gadgets and connecting them it up to the Internet - is the most common cause of security exploits within the IoT industry. A tech savvy hacker can scan the network for devices with open ports then attempt to access various services utilizing a large database of default passwords.
A lot of devices expose administration functionality over a range of different service ports (HTTP, telnet, ssh) - typically used for configuration or remote access of the device. In some cases; they even provide shell access which can allow the user to get up to nasty things.
A quick google search reveals a number of popular sites:
While these websites can come in handy for an IT specialist who is performing service and maintenance - it is also a handy source of information for anyone wanting to gain unauthorized access to a device or even re-purpose a device for their own bidding.
It doesn't only affect network routers - any device with open ports is at risk. In late 2016, the Mirai botnet exploited default passwords of IP cameras to create a botnet that was eventually used to perform a Distributed Denial of Service (DDoS) attack that took down a number of popular websites. In fact the Persirai botnet, built on the foundations of Mirai has now been discovered in the wild and is even more aggressive in nature.
The Raspberry Pi is not excluded from third party attacks either - there have been reports of Raspberry Pi malware being found, utilizing the default password and an open ssh port. While the one found was utilizing additional CPU resources to mine a cryptocurrency, it could easily be instructed to wait patiently for a command to do something terrible.
Changing user passwords must be done immediately when deploying devices.