15,363 Roku accounts were compromised last year as bad actors gained access to a lot of sensitive data on the platform. Evidence suggests they obtained credit card information and attempted to make purchases.
This news comes from a pair of filings Roku made on March 8 to the attorneys general's offices for Maine and California. They both come with a notice explaining exactly what happened. The document is publicly available if you want to get the full details. But the gist of it is that the hackers bought customer usernames and passwords from a third-party source and then proceeded to enter Roku accounts. This process is known as a credential stuffing attack, according to tech news site BleepingComputer who initially discovered the two notices.
After gaining access, the bad actors changed the account’s login information, locking out the original owner. Roku states the hackers also tried to buy streaming subscriptions using stored credit cards. Because the details were altered, account holders would not have received order confirmation emails if the hackers bought something.
Keeping safe
"The Maine filing states the attacks occurred on December 28, 2023 and February 21, 2024." In response, Roku quickly “secured the accounts from further unauthorized access”. They then required registered owners to reset their passwords while it investigated the fraudulent activity. Experts at the company successfully stopped "unauthorized subscriptions” and refunded all the charges made under a user’s name.
They confirmed other types of sensitive information like social security numbers were not a part of the attack. Currently, Roku's security team is watching for any further “signs of suspicious activity.”
A Roku representative didn't offer much new information when reached for comment. In an email, they explained the attacks again, how they took immediate steps and added the team is taking the "incident very seriously."
Roku's rep did give us a list of what users should do moving forward. First, they suggest resetting your password by visiting the My Roku website.
If you’re having trouble accessing your profile, they ask that you contact the company for help. An assistance phone number can be found on the notice document. Next, check if any extra subscriptions or unknown devices have been added. Those will most likely belong to a hacker. You can find them on your account’s dashboard.
We also recommend entering your credentials into HaveIBeenPwned to see if your data has been leaked online. Roku states the incident only affects a "very small percentage" of subscribers, but it couldn't hurt to check.
Diving deeper
Going back to the BleepingComputer report, the publication dove deeper into the situation, uncovering an online retailer selling stolen login credentials. And get this: you can buy access to a Roku account for as low as 50 cents.
Each listing comes with a set of instructions detailing how to change account details “to make fraudulent purchases.” What’s worse is these bad actors seemingly gloat on Telegram, posting screenshots of things they’ve bought using stolen credentials.
It’s unknown how these logins made their way online. It's possible the credentials were taken from an earlier breach and then posted on the dark marketplace, but that's just our best guess. It's a pretty scary situation all around. If you want to know how to beef up your digital security, check out TechRadar's list of nine tips to protect your online life.