They cracked the APK to get the default password, but googling for it I see it is in a CVE from 2022

https://nvd.nist.gov/vuln/detail/CVE-2022-37255