A Chinese manufacturer of internet-connected surveillance cameras has recalled a number of its products said to have been used in Friday’s cyberattack.
The three-wave attack against Dyn, a managed domain name system provider, lasted almost all day, leaving millions on the US east coast unable to access dozens of high-profile websites.
In a statement, Xiongmai said hackers were able to hijack hundreds of thousands of its devices into a botnet because users had not changed the devices’ default passwords.
The botnet then flooded Dyn’s servers with traffic, which led to its systems overloading and failing. Websites that relied on Dyn’s managed domain name system, including Reddit, Spotify, and Twitter, appeared offline.
But the company rejected claims that its devices made up the bulk of the attack.
“Security issues are a problem facing all mankind,” the statement said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”
The company confirmed that it will recall some of its older products sold in the US made before April 2015 in an effort to improve its password functionality.
An early post-mortem of the cyberattack said “tens of millions” of networks pummeled Dyn’s servers in what was was described as a “highly distributed” attack.
“The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations,” the company said.
Dyn is expected to give a more detailed update early next week.