A cyberattack targeting a little-known internet infrastructure company, Dyn, blocked access to dozens of websites on Friday, leaving some users unable to access PayPal, Twitter and Spotify.
Dyn, whose clients include some of the world’s most visited websites, said it did not know who was responsible for the outage, which began in the eastern United States and then spread to other parts of the country and overseas.
The outage was intermittent, making it difficult to identify all the victims, but tech news site Gizmodo listed over 50 sites affected by the attack, including CNN, HBO Now, Mashable, The New York Times, People.com, The Wall Street Journal, and Yelp.
Dyne said the attacks come from tens of millions of internet-connected devices, such as webcams, printers and thermostats, which have been infected with malicious software, turning them into “bots” that can be used to launch large-scale distributed denial-of-service attacks.
The Department of Homeland Security warned about this powerful new approach last week, saying it was concerned about the possibility of new attacks after the malware code used in these attacks was made public on the internet.
Dyne said late Friday that it was battling a third wave of major attacks that are coming from all over the world and making it difficult to respond.
“The complexity of the attacks makes it very challenging for us,” said Kyle York, Dyn’s chief strategy officer.
The Department of Homeland Security and the Federal Bureau of Investigation said they are investigating.
The unrest comes at a time of unprecedented concern over cyber threats in the United States, with hackers infiltrating political and electoral institutions.
Dyne said it had resolved the morning attack, which disrupted operations for about two hours, but revealed a second attack hours later that was causing further disruption.
Dyne said early Friday that the outage was limited to the eastern U.S. Amazon later reported that the problem was affecting users in Western Europe. Late Friday night, some users in London were unable to access Twitter and some news sites.
PayPal Holdings Inc. said the outage left some customers in “certain regions” unable to make payments. The company apologized for the inconvenience and said its network had not been hacked.
The web services unit of Amazon.com Inc., one of the world’s largest cloud-computing companies, reported a similar outage but said it had been resolved early Friday afternoon.
Dyn is a Manchester, New Hampshire-based service provider that manages domain name servers (DNS), which act as switchboards that connect Internet traffic. Requests to access a site are sent through a DNS server that directs them to the computer that hosts the website.
Dyne said it was still investigating how the attack led to the outage, but its top priority was restoring service.
Large DNS providers are responsible for forwarding large amounts of Internet traffic, so attacks against them could cause massive disruption.