Everyone with a Roku TV or streaming device will eventually be forced to enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing.
Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access.
In the case of the Roku attacks, that meant access to stored payment methods, which could then be used to buy streaming subscriptions and Roku hardware. Roku wrote on its blog, and in a mandated data breach report, that purchases occurred in “less than 400 cases” and that full credit card numbers and other “sensitive information” was not revealed.
The first incident, “earlier this year,” involved roughly 15,000 user accounts, Roku stated. By monitoring these accounts, Roku identified a second incident, one that touched 576,000 accounts. These were collectively “a small fraction of Roku’s more than 80M active accounts,” the post states, but the streaming giant will work to prevent future such stuffing attacks.
The affected accounts will have their passwords reset and will be notified, along with having charges reversed. Every Roku account, when next requiring a login, will now need to verify their account through a link sent to their email address. Alternatively, one can use the device ID of any linked Roku device, according to Roku’s support page. (Forcing this upgrade yourself is probably a good idea for past or present Roku owners.)
Security blog BleepingComputer reported around the time of the incident that breached Roku accounts were sold for as little as 50 cents each and likely obtained using commonly available stuffing tools that bypass brute-force protections through proxies and other means. BleepingComputer reported that “a source” tied Roku’s recent updates to its Dispute Resolution Terms, which all but locked Roku devices until a customer agreed, to the fraudulent activity. Roku told BleepingComputer that the two were not related.