When a novel hacking attack crippled parts of the Internet in October, it cut off consumers access to popular websites like Netflix and Kayak for hours at a time. For online retailers, the effect was the same as when a physical store shuts down: no customers and no sales.

While hacking is not responsible for every website shutdown—an ordinary onslaught of customer traffic caused the online operations Target TGT and Neimen Marcus to buckle last year — the threat is adding to retailers’ anxiety at a time when Internet sales are a critical growth area.

In the case of Amazon, which reportedly sold 398 items per second one day this summer, the security firm Upguard recently estimated that ten minutes of downtime could translate to a loss of over $2 million in sales.

Get Data Sheet, Fortune’s technology newsletter.

And while hacking threats are not new, they took on a new potency this year when malicious coders discovered how to conscript millions of Internet of things devices—security cameras and routers and so on—into a “botnet” army. This army of hijacked devices, which can deliver a huge surge of junk web traffic to knock websites offline, is fueling what a recent Akamai AKAM report described as a new wave of “mega” attacks.

According to Jo Webber, who founded the payment platform Oink, big retailers like Amazon typically have the resources to rebuff a direct attack on their sites. But they are still vulnerable to incidents where hackers target internet infrastructure that retailers rely upon. (The October attack, for instance, caused havoc because it took out Dyn, a domain name server that translates familiar phrases like “amazon.com” or “google.com” into the strings of numbers that are the actual address of a website.)

Tesla-Stealing Hack is about More than Tesla

Webber, who now runs data security company Spirion, also warns that small and medium size retailers remain vulnerable to being knocked offline by large floods of traffic from botnets. In the worst case, she warns, hackers could turn their botnets into a tool for extortion, basically telling retailers “pay us or we’ll knock your site offline on Cyber Monday.”

The good news is that, as of Saturday morning, there have been no reports of hackers knocking retailers offline, even as the likes of Amazon AMZN appear on the way to post another weekend of record-breaking sales.

Macy’s website, however, buckled under a surge of customer demand. (Target, meanwhile, sought to avoid last year’s debacle by stretching out its Cyber Monday sales over two days).