I just read this recent article here:
This will continue to be the most rapid growing of attack surfaces in cyber security.
Non IT businesses throwing "connected", webified stuff in the market because it's the "new thing" to make it all "smart".
Sadly their lacking of even most essential protective measures will continue to let risks grow for all of us.
Why? A little example...
Primary victims can very well be the cause for secondary breaches like your friends that "hopped" on the "smart home everything" train, thus saving a few bucks to buy their stuff for cheap directly from China via Aliexpress for instance.
Little did they know that they invited bad actors into their homes, via easily breachable interconnected smart home devices, compromising not only their own data but possibly contact info and other sensitive data of their friends as well.
IoT will be the arena with the most cyber exploit potential in the foreseeable future.
Stay frosty out there my friends!