If you had trouble using your favorite websites last Friday, you’re not alone. Large sections of the country experienced internet outages on some major sites, outages which turned out to be an intentional DDoS attack by hackers. The long list of shuttered websites included Twitter, PayPal, CNN, and Reddit, along with several news outlets, social media sites, and retailers.

A DDoS attack stands for distributed denial-of-service attack, and basically it means the hackers sent so much traffic to those websites that it clogged them up. It’s just like walking up to your favorite ride at Disney World, only to have thousands of tour buses unload their passengers into the line before you can get there. Only, in this case, those passengers aren’t really people, they’re just cardboard cut-outs of people; they’re not going to get on the ride and the line is never going to move.

So where did all these fake people come from? That’s where things get a little surreal. According to reports about DDoS attacks like this one from Krebs On Security, hackers can use hijacked connections and divert them to the sites they want to slow down. One large infrastructure company, Dyn, was targeted in Friday’s attack, meaning many of the companies that rely on Dyn’s service to make their websites work were slammed with fake traffic.

The “fake accounts” that were busy clogging websites and making them crash were actually hacked by Internet of Things devices (IoT), which are everyday objects that have network connectivity. A Chinese software company that powers a lot of the IoT devices on the market has already stated that its products were hacked and used in this event. The company has now issued a recall of many of the products that were used to pull off the attack.

One of the chief culprits in this attack falls back on the consumers who own those IoT devices. When they set up their smart TVs, connected webcams and home security cameras, DVRs, and more, any weak passwords they may have used left their accounts and their devices vulnerable to hijacking. A weak password is one that is easily guessed—something like “password,” which has long been one of the most commonly used passwords around the world—and therefore leaves the door wide open for a hacker.

A common misperception about weak passwords is that an easy password is so obvious that no hacker would think you would use it. That’s like saying, “123456 is so simple, hackers are going to think I’m smarter than that.” Unfortunately, what many people fail to realize is that cybercriminals don’t sit at their keyboards and randomly guess your password. They rely on readily available software to “crack” your password, software that is capable of making millions of guesses per second.

That’s why your password has to be strong and unique. A unique password is just what the name implies: it’s only used on one account or one device. It’s tempting to reuse your passwords—especially if you’ve gone to the trouble to memorize a really strong combination of letters and numbers—but once a hacker has that password, they can test it out on all of your accounts.

A strong password is a little trickier. It needs to have at least eight characters (if not more), and it needs to contain a combination of uppercase letters, lowercase letters, numbers, and symbols. It also shouldn’t use any part of your name, your birthdate, or any other identifying feature that can be gleaned from your account information.

Interested in more cyber news? Check out the ITRC blog to keep you updated and aware of the latest topics and events.