(Reuters) – Cyber attacks targeting a little known internet infrastructure company, Dyn, disrupted access to dozens of websites on Friday, preventing some users from accessing PayPal, Twitter and Spotify.
Dyn, whose customers include some of the world’s most widely visited websites, said it did not know who was responsible for the outages that began in the Eastern United States, and then spread to other parts of the country and overseas.
The outages were intermittent, making it difficult to identify all the victims. But technology news site Gizmodo named some five dozen sites that were affected by the attack. They included CNN, HBO Now, Mashable, the New York Times, People.com, the Wall Street Journal and Yelp.
Dyn said attacks were coming from tens of millions of Internet-connected devices — such as web cams, printers and thermostats — infected with malicious software that turns them into “bots” that can be used in massive distributed denial of service attacks.
The U.S. Department of Homeland Security last week issued a warning about this powerful new approach, noting it was concerned about the potential for new attacks after code for malware used in these attacks was published on the internet.
Dyn said late on Friday that it was fighting the third major wave of attacks, which were being launched from locations spread across the globe, making them harder to fight.
“The complexity of the attacks is what’s making it very challenging for us,” said Dyn’s chief strategy officer, Kyle York.
The U.S. Department of Homeland Security and the Federal Bureau of Investigation said they were investigating.
The disruptions come at a time of unprecedented fears about the cyber threat in the United States, where hackers have breached political organizations and election agencies.
Dyn said it had resolved one morning attack, which disrupted operations for about two hours, but disclosed a second a few hours later that was causing further disruptions.
Dyn said early on Friday that the outage was limited to the Eastern United States. Amazon later reported that the issue was affecting users in Western Europe. Twitter and some news sites could not be accessed by some users in London late on Friday evening.
PayPal Holdings Inc said that the outage prevented some customers in “certain regions” from making payments. It apologized to customers for the inconvenience and said that its networks had not been hacked.
Amazon.com Inc’s web services division, one of the world’s biggest cloud computing companies, also reported a related outage, which it said was resolved early Friday afternoon.
Dyn is a Manchester, New Hampshire-based provider of services for managing domain name servers (DNS), which act as switchboards connecting internet traffic. Requests to access sites are transmitted through DNS servers that direct them to computers that host websites.
Dyn said it was still trying to determine how the attack led to the outage but that its first priority was restoring service.
Attacking a large DNS provider can create massive disruptions because such firms are responsible for forwarding large volumes of internet traffic.
(Reporting by Jim Finkle in Boston, Dustin Volz in Washington, Joseph Menn in San Francisco. Additional reporting by Eric Auchard in Frankurt, Joseph Menn in San Francisco and Malathi Nayak in New York, Jeff Mason and Mark Hosenball in Washington, Adrian Croft and Frances Kerry in London; Editing by Bill Trott and Lisa Shumaker)