The National Cyber Security Centre (NCSC) is advising people to tweak the settings after buying them.
Easy-to-guess default passwords might let a hacker secretly observe a home through connected devices, it said.
The NCSC's technical director, Dr Ian Levy, warned while the devices were "fantastic innovations", they were vulnerable to cyber-attackers.
There are many examples of devices being accessed without permission.
In one, the attacker spoke to a young girl, pretending to be Father Christmas.
In another, a couple from Leeds had been watched thousands of times online without their knowledge.
And security researchers easily breached an adult toy that had a camera attached, in 2017.
The new guidance for owners of smart cameras suggests three steps:
- changing the default password, which is often an obvious word like "admin" or "00000" to an unguessable, unique one
- keeping the camera's software, sometimes called firmware, updated
- switching off features that let you check the cameras remotely, if you don't need or use it