Here’s a cautionary tale of why you should always change your default passwords on any electronic device hooked up to the so-called “Internet of Things.”

It’s been revealed that a massive cyber attack on the cybersecurity news site KrebsOnSecurity.com got access to more than 1 million devices through simple or default passwords. The attack is believed to be the largest DDoS cyber attack ever recorded. The unknown hackers used two separate botnet networks, which in total were comprised of around 1.5 million hijacked devices, Motherboard reports.

A DDoS (Distributed Denial of Service) attack is a way of knocking a website or online service offline by flooding them with traffic from multiple (usually hijacked) sources. In the case of Krebs On Security, the attack last month managed to overwhelm the site with at least 620 Gigabits of traffic per second.

Krebs explained that the attack was spread through a botnet that had obtained access to hundreds of thousands of devices that are hooked up to the Internet of Things, such as “routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”

The devices were accessed through 61 different default or simple passwords. The most common (and most obviously) were: “password,” “admin,” “default,” “123456,” “54321,” “(none),” “11111,” and “pass,” according to CSO Online.

Moral of the story: never assume any device connected to the Internet is protected. As CSO added, the more things we add to the massive web of Internet-enabled appliances and devices, the more likely these types of attacks will become.