More than 15,000 Roku customers have been affected by a data breach. From what is understood, Roku didn’t encounter the data breach directly. Instead, customers were impacted by a credential stuffing attack.
Credential stuffing refers to a cyber attack where details are obtained from one service and then used to access another service. For example, situations where a user might use the same username and password for more than one service, leading to the potential for multiple accounts to be compromised once one of the services encounters a data breach.
This appears to be exactly what has happened to those affected Roku customers. First reported by Bleeping Computer, Roku’s data breach notice explains that “unauthorized actors had likely obtained certain usernames and passwords of consumers from third-party sources.” In total, 15,363 U.S. customer accounts are understood to have been affected.
The notice goes on to explain that after gaining access to accounts, the unauthorized actors changed the login details to prevent the real account holders from regaining access to their accounts. In some cases, Roku notes, the unauthorized actors also attempted to purchase streaming subscriptions using the payment methods on file.
In addition to the information provided by Roku, Bleeping Computer reports that the unauthorized actors were also selling accounts online for as little as $0.50 each. Once sold, it was the buyer of the account that would then attempt to make purchases, including Roku devices and other hardware products, using the payment methods associated with the Roku account.
For those unsure of whether they have been impacted by this situation, Roku confirmed that it has reset passwords for those accounts. Basically, those users will now need to go to my.roku.com and use the “Forgot password?” option to reset their password before they can access their account again.
For those that can still access their Roku account without having to set a new password, it might be worth checking the Payments & subscriptions section under My account after logging in to the Roku website and checking for any recent and unusual hardware purchases, as well as any new streaming subscriptions. It may also be worth changing the password as a precautionary measure.
For reference, Roku did say it has since canceled or refunded any unauthorized purchases and subscriptions.
Leave a Reply