Shopping mall surveillance cameras are under attack. Lax security settings on the closed circuit television monitors are being exploited by hackers who use the cameras to knock outside Web servers and applications offline.

Weak security conditions – never resetting factory defaults and weak or nonexistent password protections – in CCTV systems were shown in a report released Wednesday by the cloud security company Imperva. Investigators, responding to an attack in which one client was overwhelmed with 20,000 Web requests per second, traced the traffic back to IP addresses that belonged to CCTV cameras. Further examination revealed that the cameras were all using their default log-in credentials and had been hijacked as part of a botnet campaign (a network of unwitting computers being used to carry out a distributed denial-of-service attack).

The target of the attack was “a rarely-used asset of a large cloud service, catering to millions of users worldwide.”

“Notably, the compromised cameras we monitored were logged from multiple locations in almost every case – a sign that they were likely hacked by several different individuals,” Imperva explained in a blog post announcing the findings. “This just goes to show how easy it is to locate and exploit such unsecured devices.”

Nearly 250 million video surveillance cameras were installed throughout the world in 2014, 65 percent of which are in Asia.

Surveillance cameras are a perfect encapsulation of the nightmare scenario much of the cybersecurity community is so nervous about. The number of Internet-connected devices is expected to grow from 10 billion in 2015 to over 50 billion by 2020. The opportunity to build-in secure technology from the start is now, experts say, rather than to be engaged in a game of constant catch-up.