The Federal Trade Commission has filed a lawsuit against popular router maker D-Link for failing to take steps to properly secure its devices to and leaving consumers vulnerable to hacks and exploits.

In the complaint, filed by the FTC last week, the commission claims the Taiwanese manufacturer of “failed to take reasonable steps to protect their routers and [Internet Protocol] cameras from widely known and reasonably foreseeable risks of unauthorized access.”

According to the complaint, D-Link left “thousands of consumers" at risk.

The FTC said D-Link failed its duty to secure its products in a number of ways, including missing or ignoring “flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007."

D-Link is also accused of repeatedly failing to implement software testing to protect against common security flaws and injection attacks that allow hackers to remotely gain control of a device.

The FTC also said D-Link failed to keep private its own security keys, which it uses to sign off on the integrity of its software—an issue that resulted in a private key being outed on a publicly accessible website for about six months.

D-Link also allegedly failed to make use of free software that helps secure user login credentials on mobile apps—software the FTC says has been available since 2008—and opted instead to store usernames and passwords in plain text on a user’s mobile device.

“D-Link denies the allegations outlined in the complaint and is taking steps to defend the action,” the company told the Verge in a statement.

The FTC complaint comes just months after a widespread distributed denial of service (DDoS) attack. The attackers managed to turn a huge collection of insecure internet of things (IoT) devices—products with an internet connection like D-Link’s webcam—into a massive botnet that was able to take down a number of highly trafficked websites and services including Spotify, Twitter, Pinterest and Reddit.

The attack was made possible because many IoT devices use default login information and could easily be hijacked and controlled remotely.

In response to the attack, the Federal Communications Commission (FCC) began exploring regulatory framework to require IoT device makers to ensure the security of their products.