Device manufacturers' failure to inform customers to change default passwords in their interconnected devices is being looked into as the cause of the DDoS attack on Dyn.

A yet unidentified entity was using an army of connected devices that attacked Dyn, one company that provides the address book for the internet. The resulting attack caused Twitter, Spotify, Reddit, Airbnb, Etsy, SoundCloud, and The New York Times to struggle with intermittent access.

According to the The New York Times, Dyn, whose servers monitor and reroute internet traffic, experienced a distributed denial-of-service (DDoS) attack just after 7 a.m., Friday. Inaccessibility started on the East Coast and spread westward in three waves as the day wore into evening.

The botnet attack appears to have relied on interconnected devices such as cameras, home routers, and even baby monitors without the owners' knowledge. Hackers were allegedly using software to command the devices to flood a target with overwhelming traffic.

Fortune reported that the security community is looking into the role of device makers whose products they say have a major security flaw. The companies did not advise nor required users to change a default password. This lapse made it easy for hackers to enlist so many Internet-connected devices in the botnet army responsible for last week's attack.

Familiar names like Panasonic and Xerox have begun a recall of their products but many are still out there with unpatched software leaving them vulnerable and compromised. To make matters worse, hackers dispatched a source code to control the botnet army making it certain that future attacks would still be possible.

Security researchers say the assault is only a glimpse of how unsecured devices can be used for online attacks. Going after companies like Dyn is far more damaging than attacking a single website. Dyn is one company that hosts the Domain Name System (DNS) and its primary function is to serve as a switchboard for the internet. Without DNS servers, the internet could not operate.

The question now lies whether the device makers can be held liable even though they have no direct hand in last week's directed attack. Former cyber-crime prosecutor Michael Zweiback an attorney with Alston & Bird said legal action might come in the form of lawsuits and investigations by the Federal Trade Commission.

A harder question is whether consumers who bought these items can bring lawsuits of their own. The situation differs for Dyn, the company that was targeted by last week's attack since the firm had no recourse but to directly absorb the cost of the attack. Dyn did not give a statement if it plans to pursue legal action against the device manufacturers.