Streaming company Roku has revealed that over 15,000 customers' accounts were hacked using stolen login credentials from unrelated data breaches.
In data breach notices to the Attorneys General for Maine and California, Roku said hackers accessed the accounts of 15,363 US residents in a campaign that lasted from December 28, 2023, to February 21, 2024.
The attacks worked because some Roku account owners had made the mistake of using the same passwords on Roku as on multiple other websites. This gave those who had gained access to past data breaches an easy way to break into Roku accounts and lock out genuine users.
"After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions," explained Roku.
As Bleeping Computer describes, cybercriminals have been selling access to the hijacked accounts for as little as 50 cents each.
Hijacked accounts can then be used to purchase other items from Roku, using stored credit card details.
Roku claims that access to the affected Roku accounts did not allow the hackers to access social security numbers, full payment account numbers, dates of birth, or other similar sensitive personal information.
The company says that it is taking the incident "very seriously" and has secured affected accounts from further unauthorised access, and is forcing users to reset their passwords.
Obviously it wouldn't be a good idea to make the same mistake again - so make sure that if you are choosing a new password that it is one that is strong, impossible-to-guess and (perhaps most importantly) not the same as any password you are using elsewhere on the internet.
I can't help but feel a little bit sorry for Roku. It's Roku's name and brand being tarnished by this attack, but it can be argued that it's Roku's users who failed to apply proper security.
Credential-stuffing attacks succeed because so many people still make the mistake of reusing the same passwords in different places on the internet.
Despite warnings, reusing passwords is unsafe behaviour - as a breached service's password database can be used by hackers to access other accounts.
That's not to say Roku is blameless. It still hasn't, as far as I can see, offered any form of two-factor authentication (2FA) for its users, which is a common way to improve account security. One would hope Roku's security team might have detected the anomalous behavior sooner, instead of letting it continue for months.
Roku says its security team continues to monitor for suspicious activity and urges users to remain vigilant of the threat posed by identity thieves. Users with questions about the breach are asked to contact Roku by telephone at 1-816-272-8106, or by email at [email protected].