In a new breach notice, Roku says that hackers hijacked over 15,000 user accounts and utilized customers’ saved credit card information. However, Roku’s security was not compromised in this breach. This is a case of customers reusing old passwords.
An attack method called credential stuffing is responsible for this breach. Credential stuffing is incredibly simple—hackers take a list of known email and password combinations, dump each one into a website’s login field, and take note of any credentials that produce a successful login. The emails and passwords used in this breach were obtained from previous, unrelated data breaches.
Several individuals or groups may have participated in this attack. They likely used credential-stuffing tools like Open Bullet 2 to automate the attack process. And, as discovered by Bleeping Computer, compromised Roku accounts were sold on Telegram and other platforms for as little as 50¢ apiece. Buyers were encouraged to immediately change the login and recovery details for purchased accounts. In some cases, these buyers also used customers’ credit card information to purchase new streaming subscriptions or Roku hardware.
“Through our investigation, we determined that unauthorized actors had likely obtained certain usernames and passwords of consumers from third-party sources (e.g., through data breaches of third-party services that are not related to Roku)”
According to Roku’s breach notice, 15,363 customer accounts were affected in this breach. The number of accounts that were hit by fraudulent purchases is unknown.
Sensitive materials, such as birthdays or full payment details, were not exposed in this breach. However, hackers are well aware that a successful username and password combination may be reused across several websites or services. You need to stop reusing passwords and consider using a password manager. I also suggest using HaveIBeenPwned to see if your credentials have appeared in a public data breach.
Of course, customers can’t be blamed for this breach. Roku needs to take steps to prevent unauthorized account logins. If a Roku account can make purchases with a credit card, the account should be protected by two-factor authentication and other security systems. Roku currently offers two-factor authentication for its smart home products but does not provide the same protection for streaming accounts.
Roku published its data breach notice on Friday, March 8th. This notice will be sent to affected customers, though Roku has already forced customers to reset their passwords. The company also says that it has identified and reversed fraudulent purchases. You may have received a refund for a fraudulent purchase without realizing it, though you should still take a few minutes to investigate your Roku account and associated credit card bill.
Source: Roku via Bleeping Computer