Millions of common internet-connected devices like security cameras and digital video recorders were used to conduct the colossal cyberattack that made it difficult for Americans to access some of the world’s most popular websites Friday, researchers said.

Websites including Twitter, Amazon, Spotify and Airbnb were hard to reach Friday as the result of a distributed denial-of-service (DDoS) attack waged against Dyn, a New Hampshire-based internet company that operates a widely used Domain Name System (DNS) — a phonebook of sorts that ensures Web users can reach certain sites by typing their respective domain names instead of hard-to-remember numerical IP addresses.

By flooding Dyn’s systems with unprecedented amounts of illegitimate internet traffic, attackers successfully sidelined its DNS services three separate times on Friday and caused widespread outages across Europe and North America and prompting a response from the White House; at a briefing Friday afternoon, White House press secretary Josh Earnest said FBI and Department of Homeland Security officials were both “monitoring the situation” and “investigating all potential causes.”

Flashpoint, a U.S.-based security firm, said the infrastructure used to wage the debilitating DDoS attack Friday was composed at least partially by compromised cameras and other digital devices capable of connecting to the internet – an ever-growing category of interconnected products and appliances considered to make up a phenomenon colloquially referred to as the Internet of Things, or IoT.

Hackers scoured the internet for IoT devices using malicious software known as Mirai, then initiated an automated mechanism that attempted to compromise various electronics by using their default factory-set passwords. These hacked devices then formed various “botnets” of connected nodes that were harnessed in order to overload Dyn with traffic and disrupts its DNS services.

“It’s just so darn distributed,” Dyn Chief Strategy Officer Kyle York told reporters Friday, according to NPR. “Literally, picture tens of millions of things attacking a data center. No matter the size and scale of the independent things, tens of millions of anything make up something large. And that’s the complexity of this.”

A Mirai botnet was used last month to take down the OVH, a French internet service and hosting provider, as well as the website of Brian Krebs, a cybersecurity reporter and best-selling author. An individual using the alias “Anna-senpai” released the source code for the malware strain in the aftermath of the attacks, “virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices,” Mr. Krebs wrote at the time.

“The way that they directed this at core infrastructure, there’s no reason they couldn’t scale this to a much broader attack,” former White House cybersecurity advisor Chris Finan told DefenseOne on Friday with regards to the recent Dyn attack.

“The websites that they have taken offline today is still not the majority of what business uses in the U.S. If this was broadened, it could be crippling to businesses,” he said.