Every time you don't change default credentials
god kills a kitten
@tbr okay I am going to say this: default credentials should always be randomly generated on deploy. As in, yes, it is the sysadmin's responsibility to change them, *but* the software should also not set admin:admin and such.
Defense in depth.
A nice little Mastodon instance. Mild trolling encouraged (keep it local), but not required. Malicious behaviour is not tolerated. Follow Wheaton's law and you'll be fine.