Yesterday, a large-scale attack on internet infrastructure disrupted Twitter, Paypal, Amazon Web Services, and dozens of other sites, most apparently linked to the domain name service Dyn. Now, security researchers say they’ve identified at least one culprit in the attack—a massive network of hijacked Internet of Things devices, including connected cameras and digital recorders, martialed to send the gargantuan waves of domain requests that overwhelmed directory servers.
Get Data Sheet, Fortune’s technology newsletter.
Remarkably, according to Flashpoint security research head Allison Nixon, most of the components involved were made by one company, China’s XiongMai Technologies. Those components, which are used in a variety of devices under other brands, include hard-coded factory-default passwords, which cannot be reset by users easily, if at all, making it simple for hackers to gain control of them en masse.
The software used to control these devices—which almost certainly number into the millions—is a malware package known as Mirai (the Japanese word for “future”). The source code for that software was made public by its anonymous creator earlier this month, meaning that any of a huge number of malicious hackers could have been responsible for yesterday’s attack.
For more on cybersecurity, watch our video.
According to security researcher Bruce Schneier, the attacks are likely unrelated to the escalating series of coordinated DDoS attacks we reported on earlier this month. But they are linked to a record-setting assault on the website of Krebs on Security, confirmed to be caused by a Mirai botnet.
This attack, then, is the realization of worst-case-scenario warnings from security experts about the risk posed by the Internet of Things. And there seem to be few options for prevent a repeat performance.