It’s common knowledge that those who hold higher positions of responsibility are more likely to be targeted by hackers. The reason is that the more elevated the person’s role, the more access to information that is sensitive and therefore of greater value. Combine that with a computer system that hasn’t been patched for a known two-year-old flaw and it’s easy to see how it’s possible that military documents could be stolen from an air force officer’s computer.

According to The Wall Street Journal, though, the data theft was not the work of a nation-state attacker, nor even that targeted. And yet, the hacker was still able to access, steal, and attempt to sell the training manual and maintenance documents for the US military’s MQ-9 Reaper drone.

What makes this story so alarming is the relative ease with which the hacker was able to capture sensitive military information. Using Shodan, a search engine for internet-connected devices, the hacker scanned the internet for Netgear routers known to have miscqonfiguration vulnerabilities–in this case, a two-year-old vulnerability related to default login credentials. After stealing the documents, the cybercriminal attempted to find interested buyers on the dark web, pricing the information at just $150.

The remote-controlled aircraft at the center of the story is used for air strikes, as well as surveillance. “Developed by General Atomics, the $64 million MQ-9 Reaper is the heavily-armed follow-on to the Predator drone, capable of dropping laser-guided bombs and Hellfire missiles on a target from an altitude of 50 thousand feet,” reports The Daily Beast. While the documents pertaining to the MQ-9 weren’t technically classified, they did provide detail on the capabilities and weaknesses of the aircraft. Such information could be advantageous to enemies.

The incident is especially worrisome given that it comes on the heels of another cybersecurity situation. As The Wall Street Journal points out, “Military officials said last month that the Defense Department’s inspector general was investigating a major security breach after Chinese hackers allegedly stole data pertaining to submarine warfare, including plans to build a supersonic antiship missile.”

Last week it was reported that military and intelligence personnel who were using the Polar fitness app were inadvertently revealing their locations, even if they had set their profiles to private.

From infrastructure to apps, it seems that when it comes to confidential information, the US military has a little too much exposure. And they’re not alone. Whether civilians, businesses, military or other types of organizations, cybersecurity cannot be assumed. Relying on default settings, without patching or updating, is living dangerously.