BENGALURU, Karnataka—If you’re an ACT broadband customer, make sure you change the default password on your Wi-Fi router right away, because your entire connection may be at risk. Security researcher Karan Saini told HuffPost India that he found a flaw in the security settings for ACT issued routers, which can expose them to the open Internet. Since these routers come with the default administration password hardcoded, if a customer just uses it without making any changes, then anyone can log into the router and effectively take control of their Internet connection.

ACT is thethird biggest wired broadband provider in India according to theTelecom Regulatory Authority of India (TRAI), behind onlyBSNL andAirtel, and it’s been growing fast, adding new cities and plans.

However, Saini found that the Bengaluru-based company has made some questionable choices when setting up the routers that it distributes to customers when installing new connections. At least two models of TP Link routers, TL-WR850N and Archer C5 AC1200, as well as D-Link routers issued by the company, are set up in such a way that someone could easily gain access to the router management portal, block websites, steal login credentials or monitor Internet traffic passing through the router, he said.

For the latest news and more, follow HuffPost India on Twitter, Facebook, and subscribe to our newsletter.

The router is the hub through which all your Internet traffic is passing, which your devices connect to. By gaining access to your router remotely, anyone can hijack your connection.

Saini found that the routers come with a password that’s hardcoded in (separate from your Wi-Fi password, that you use to connect your phone or laptop to the network) and unless the subscribers actively make changes—something that almost never happens—the password is common to thousands of devices.

Researchers at Ben-Gurion University found this to be a very widespread issue. Device manufacturers set these default passwords and then list them online for quick troubleshooting and setup; but that also means that these passwords can be found with a simple Google search.

“Getting a foothold into a home Wi-Fi network to infect devices with malware, all via a poorly-secured internet-enabled coffeemaker, might sound somewhat ludicrous, but it’s sadly entirely possible,” noted Maria Varmazis, writing for cybersecurity provider Sophos.

But Saini also discovered that ACT’s routers’ management portals are accessible through the open Internet, by anyone—leaving them vulnerable to attacks over the Internet.

“The reason behind this is unclear. My initial guess was that the routers that are publicly available must have explicitly changed settings to do so,” Saini said. “However, after traversing the Internet for public routers, this does not seem to be the case. Further, most routers I have come across in my search did not have any explicit settings enabled for allowing remote administration.”