Hello, entry level cyber security person here. Most of the exploits that are found are a result of people throwing everything they can think of at the wall and seeing what sticks.

Many of these exploits are recorded and kept in public databases and websites. A vulnerability is found, patched by the publisher, reported in the patch notes, and recorded by these sites. Then a lazy (or cheap) system admin somewhere neglects to patch his systems and a hacker might stumble across it. It’s actually very easy to scan ports on public web services and see what’s open. It’s kinda like checking a building for what doors are locked.

If you know anything about setting up virtual machines, it’s relatively simple to set up a pre-configured OS like Metasploitable that has a ton of known vulnerabilities to practice hacking on. The purpose of this is an educational tool to help people learn how to protect their data, and maybe make a career in cyber security.

The best thing you can ever do to keep your system safe is keep it updated. Microsoft, Apple, and Google spend billions a year to keep their products as secure as possible.

Edit: Extra note just because I get asked this a lot: Anti-virus software does not work like people think it does. In general I recommend removing it. It is another attack vector to be infected or exploited and anti-virus loves to take system level privileges and break built in defenses for otherwise secure services.

Edit 2: 99% of all hacks are through social engineering. Phishing emails, infected USB drives, fake web links, or even just literally calling a company and making up a story to get access to their systems… these are your bread and butter as a hacker.