Last week’s distributed denial of service (DDoS) attacks—in which tens of millions of hacked devices were exploited to jam and take down internet computer servers—is an ominous sign for the Internet of Things. A DDoS is a cyber attack in which large numbers of devices are programmed to request access to the same Web site at the same time, creating data traffic bottlenecks that cut off access to the site. In this case the still-unknown attackers used malware known as “Mirai” to hack into devices whose passwords they could guess, because the owners either could not or did not change the devices’ default passwords.

Before the IoT attack that temporarily paralyzed the internet across much of the Northeast and other broad patches of the U.S. last week, there had been hints that such a large assault was imminent. In September a network, or “botnet,” of Mirai-infected IoT devices launched a DDoS that took down the KrebsOnSecurity.com Web site run by investigative cybersecurity journalist Brian Krebs. A few weeks later someone published the source code for Mirai openly on the Internet for anyone to use. Within days Mirai was at the heart of last week’s attacks against U.S. Dynamic Network Services, or Dyn, a domain name system (DNS) service provider. Dyn’s computer servers act like an internet switchboard by translating a Web site address into its corresponding internet protocol (IP) address. A Web browser needs that IP address to find and connect to the server hosting that site’s content.

Friday’s attacks kept the Sony PlayStation Network, Twitter, GitHub and Spotify’s Web teams busy most of the day but had little impact on the owners of the devices hijacked to launch the attacks. Most of the people whose cameras and other digital devices were involved will never know, said Matthew Cook, a co-founder of Panopticon Laboratories, a company that specializes in developing cybersecurity for online games. Cook was speaking on a panel at a cybersecurity conference in New York City on Monday.

But consumers will likely start paying more attention when they realize that someone could spy on them by hacking into their home’s Web cameras, said another conference speaker, Andrew Lee, CEO of security software maker ESET North America. An attacker could use a Web camera to learn occupants’ daily routines—and thus know when no one is home—or even to record passwords as they are typed them into computers or mobile devices, Lee added.

The IoT is expanding faster than device makers’ interest in cybersecurity. In a report released Monday by the National Cyber Security Alliance and ESET, only half of the 15,527 consumers surveyed said that concerns about the cybersecurity of an IoT device have discouraged them from buying one. Slightly more than half of those surveyed said they own up to three devices—in addition to their computers and smartphones—that connect to their home routers, with another 22 percent having between four and 10 additional connected devices. Yet 43 percent of respondents reported either not having changed their default router passwords or not being sure if they had. Also, some devices’ passwords are difficult to change and others have permanent passwords coded in.

With little time for makers of connected devices to fix security problems before the holidays, numerous cybersecurity researchers recommend consumers at the very least make sure their home internet routers are protected by a secure password.