The attack -- which also compromised computers, home Internet routers, media PCs and smart TV sets -- is thought to be one of the first to take advantage of the sometimes lax security found on devices that are part of what has been called the "Internet of things," Proofpoint in Sunnyvale, Calif., reported.
The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets, the company said in a statement.
Cyber criminals transforming "smart" gadgets into "thingbots" to carry out malicious activity are discovering they are easier to infect and control than PCs, laptops, or tablets, the firm said.
The attack occurred between Dec. 23, 2013, and Jan. 6, 2014, and featured waves of malicious email targeting business and individuals worldwide, Proofpoint said.
About 25 percent of the messages did not pass through laptops, desktops or smartphones, it said.
"Botnets are already a major security concern and the emergence of thingbots may make the situation much worse," David Knight, general manager of Proofpoint's Information Security division, said. "Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them."