There is probably a backdoor in the firmware. An attacker can change the custom root password (no, it's not root in my case, it's a complex one) or there is a manufacturer password. Stay behind your firewall and do not open any ports to the outside.
i have two nano 3s. both of them often become inaccessible with the password i set them to. the only way to log in to them, when this happens is to reset to the root/root credentials that canaan ships them with, then change the password again. i haven't yet seen the pool address change or anything like that. mine sit behind a regular home router without any port forwarding so i'd be surprised if someone other than canaan is responsible for the password changes. there's no way to reach them from outside of the home router.
if someone is hacking these boxes, then my money is on canaan or one/some of their engineers doing it with dodgy firmware. they're just not reachable from outside of the home network, so the only way to mess with them is from the firmware. since i've never seen a pool address change happen, it looks more like crappy firmware corrupting the root password than an actual hack.
hanlon's razor admonishes: never attribute to malice that which is adequately explained by stupidity. given the incompetence of the canaan team in predicting shipping dates, it's not hard to imagine they have a whole stupid farm also working on their firmware.
I highly doubt anyone from canaan is hacking these miners. Aside from the fact they make like $0.15 per day, they’re still just getting started selling them. A scandal like this would set them back as a company more than they could ever make from hacking these boxes. More likely in my opinion is user error.