Upon gaining access to the CloudSail API, which they did using a recovered API key, they could:
List all connected devices and their IP addresses
Establish remote tunnels to those devices
Access the robot dog’s web interface with no authentication
Use the robot’s cameras for live surveillance
Log in via SSH using default credentials (pi/123)
Move laterally within internal networks to which the robot is connected
https://news.ycombinator.com/item?id=43604706