How do hackers find the IP address of devices?

Connecting 'things' to the Internet is becoming common because of the benefits of remote communication. You can have your camera upload its footage to a cloud storage server, or be able to view the camera remotely, for instance.

Any device on the Internet is exposed and subject to network mapping. The entire Internet is constantly being scanned, and once an IP is identified, there are processes that attempt to determine what the IP is connected to (web server, camera, fridge, your dog, etc.) From there, attackers (or researchers) can probe those devices for weaknesses and vulnerabilities (or default passwords).

To help out the attackers and researchers, databases of these IP-to-thing mappings are maintained (Shodan, for instance). Then it is trivial to simply search for "security camera Acme Security model xyz123" and apply a specific hack (as you witnessed).

It's now possible to scan the entire IPv4 Internet in a matter of minutes using a tool like ZMAP or masscan

Likewise they can use online databases like Shodan and scans.io to find huge lists of a given device quickly.

So the method has changed from searching for a few devices in a limited time to searching across all known IP addresses for the device or vulnerability of interest.

For IPv6 it's currently infeasible to scan the entire address space but there are tricks to make the devices reveal their IPs.

One of those tricks would be to add your malicious server to a "pool" such as the NTP pool, where resolving the domain of the pool would randomly give out a server from the pool, possibly yours. Any device configured to use the pool would have a chance to hit your server and you can get their IPv6 that way. Shodan used (maybe they still do) to do this with some success.