Whether it’s because of convenience or feeling too lazy to do something about it, a lot of online accounts are only guarded by a simple password, with no other security measures. That’s why password stuffing is one of the most common methods of hacking into accounts. It took Roku almost 600,000 hacked accounts to actually do something about it, but better late than never.
Roku will enforce mandatory two-factor authentication (2FA) on all accounts following security breaches that affected approximately 591,000 user accounts earlier this year. The breaches, apparently occurred in two separate incidents, with the first impacting 15,363 accounts and prompting closer monitoring of account activity in March. The company then discovered a much bigger breach affecting about 576,000 accounts. Less than 1% of all Roku accounts were affected by the breach, but due to the massive scale of Roku’s installation base, that’s still a lot of people.
In a smaller subset of about 400 users, hackers utilized compromised accounts for purchasing streaming subscriptions and Roku hardware using stored payment details. However, affected users have been reimbursed, and sensitive information like full credit card numbers remained inaccessible to the attackers—so if you were one of those 400, you probably don’t need to go request a replacement for your credit card. The breaches primarily resulted from credential stuffing attacks, indicating that attackers used stolen credentials from other sources rather than compromising Roku’s systems.
Although Roku has over 80 million active accounts, only a minority were affected, and all users have undergone mandatory password resets. Additionally, the platform now requires 2FA for all accounts, regardless of whether they were impacted by the breaches or not. It’s probably too late for those ~600,000 users, but if you’re not them, then it’s not too late for you.
If you haven’t already, you should also go and create a strong, unique password for your Roku account, and preferably, leverage a password manager that keeps it safe. This won’t make your account 100% bulletproof, as Roku’s servers could still be compromised at some point in the future, but it will keep you safe from these kinds of attacks.
Source: The Register
