I’d be willing to bet that’s what it is. I’ve been a home automation hobbyist for many years now and I was looking at how home automation systems use Alexa. The security was completely nonexistent when I looked at it. You were leaving household functions like lights or maybe your thermostat or even door locks open to whomever could find a certain URL and trigger whatever they wanted to. IIRC, I wasn’t even able to use https. It was a massive security hole that I was shocked that ANYONE would ever allow. I guess that’s the problem when inexperienced people start playing around with advanced tech.
I’ll bet what happened is that there’s an online tutorial of how to set up something like SmartThings with Alexa and some guy whipped up a little bot to search for systems with URLs that match the default ones in the tutorial. Once you’ve got that, Bob’s your uncle and you’re controlling their lights and making their Alexa laugh.
I’ve had enough weirdness emerge from online into real life despite precautions that I’d never want to intentionally leave my home open to it, and most are ill-equipped to safeguard themselves, not that even that would prevent a determined individual. Truth be known it’s all a keyword scheme for ad placement anyhow. Ever noticed how your online discussions can tend to drive ads? Well, this taps your discussions at home, probably even the camera. Nothing any more noxious than that, on the part of Alexa itself. But, they’re alarmingly sloppy as you note. Nefarious uses are there for the taking.