first need to give some intro..
my local network is split in 3 different independent networks connected to the router, one is wired network with all the servers, workstations etc.. second is wifi where the phones, tablets and stuff are and third is where IoT devices are (tasmota devices, air cleaner, vacuum cleaner, ip cameras and similar cr%$#^p) ... since the appartment is split into many rooms getting single wifi ap to cover it is not really possible so I have ethernet over powerline setup (1gbit/sec, actually works good) going from the router directly to few access points and since I don't really trust wifi to be a stable connection, no matter how many new protocols my ap's support and how highly reviewed they are, I link my octoprints directly on one of those ethernet over powerline devices via ethernet switch to all of them ... everything worked like that for approx 7 years (since I moved to this appt, not sure at what point octoprint(s) are added to the mix)
now, what happened... I was having troubles with the local network past few days, the wifi would stop working in the house, all phones, tablets would not be able to see internet and if you try to reconnect to wifi you could not get ip, the dhcpd was not sending you nothing... restarting bunch of stuff would get it back to working condition but would work for a day and then would stop again... sometimes 2am sometimes afternoon sometimes in the morning, no rule... then I decided to go about it bit more seriously and started rebooting one device at a time to figure out what's causing issue, and it took me few iteration to figure out the one of the octoprint servers was the culprit!!! the problem was that rebooting one of the switches or one of the ethoverpl would also solve it, any interruption of link to octoprint for a second would fix the issue for a while...
ssh to octoprint (rather old version of armbian - 2 years min, maybe older, running on orange pi one and latest 1.3 octoprint) did not show anything wrong, looks like the binaries were patched so that ps, netstat and similar tools will not show anything so I replaced the 1gbit switch with old 100mbps hub and attached my laptop and octoprint to it and waited for it to start killing network again and I seen "ton of traffic" (did not really bother to decrypt but looks like it was trying different exploits on my whole network + outside of my network, on wan) ... copied my config files out of the thing, put back fresh armbian and restored octoprint to get my printer back to speed ...
my octoprint was not exposed to internet (ever), I don't forward ports on my router, my router has pretty good firewall with snort and all the goodies pfsense can offer running on decent i7 machine with 16G ram so enough for everything .. so I doubt the intruder came from the WAN. the two points of entry are ethernet over power lines that's supposed to be encrypted, supposed to be inpenetrable since the devices "paired" etc etc .. and the second possible point of entry was WiFi (it's on that network) where all the AP's are either running latest openwrt or latest ubiquity firmware with unguessable password .. whatever the intruder did, it got somehow on the network, found the old armbian and hacked it ..
Not a very useful story, I know but maybe someone finds it useful somehow..
EDIT: one additional info, can't remember if I changed default passwords or not, I always add the ssh key so I auto login to the machine, don't remember if I disabled password login / changed passwords