Ryan Haines / Android Authority
TL;DR
- Over 15,000 Roku accounts were compromised using stolen login credentials.
- Hackers had access to stored credit card information and used it for fraudulent transactions.
Streaming giant Roku disclosed a data breach impacting over 15,000 customers. The hackers exploited stolen login credentials to gain unauthorized access and make fraudulent purchases.
Roku notified consumers about the breach last Friday, revealing that hackers used a technique called “credential stuffing” to infiltrate 15,363 accounts. Credential stuffing involves using leaked usernames and passwords from other data breaches to try logging into accounts on different services. These attacks started in December 2023 and continued until late February 2024, as per the company.
Bleeping Computer first reported the breach, noting that attackers used automated tools to perform credential-stuffing attacks against Roku. the hackers were able to bypass security measures with tactics like specific URLs and rotating proxy servers.
In this case, hackers likely obtained login credentials exposed in previous breaches of other online services and attempted to use them on Roku accounts. If successful, they could then change the account information and gain full control, locking people out of their own accounts.
The publication further discovered that stolen accounts are being sold for as low as 50 cents each on hacking marketplaces. Purchasers could then potentially use the stored credit card information on these accounts to buy Roku hardware, such as streaming devices, soundbars, and light strips.
Roku confirmed that hackers used stolen credentials to purchase streaming subscriptions like Netflix, Hulu, and Disney Plus in some instances. The company says it has secured affected accounts and forced a password reset on them. Additionally, Roku’s security team has identified and canceled unauthorized purchases, initiating refunds for impacted customers.
Fortunately, the data breach did not expose sensitive information like social security numbers or full credit card details. So the hackers shouldn’t be able to conduct any fraudulent transactions outside of the Roku ecosystem. However, it’s advisable that you change your Roku passwords as a precaution.
Even if you weren’t impacted, this is a wake-up call underscoring the importance of strong password hygiene. Most importantly, change your passwords every few months and avoid using the same password for multiple accounts whenever possible.