Streaming firm Roku has revealed that over 15,000 clients’ accounts had been hacked utilizing stolen login credentials from unrelated knowledge breaches.
In knowledge breach notices to the Attorneys Normal for Maine and California, Roku mentioned hackers accessed the accounts of 15,363 US residents in a marketing campaign that lasted from December 28, 2023, to February 21, 2024.
The assaults labored as a result of some Roku account homeowners had made the error of utilizing the identical passwords on Roku as on a number of different web sites. This gave those that had gained entry to previous knowledge breaches a simple option to break into Roku accounts and lock out real customers.
“After gaining entry, they then modified the Roku login info for the affected person Roku accounts, and, in a restricted variety of circumstances, tried to buy streaming subscriptions,” defined Roku.
As Bleeping Pc describes, cybercriminals have been promoting entry to the hijacked accounts for as little as 50 cents every.
Hijacked accounts can then be used to buy different objects from Roku, utilizing saved bank card particulars.
Roku claims that entry to the affected Roku accounts didn’t permit the hackers to entry social safety numbers, full fee account numbers, dates of delivery, or different related delicate private info.
The corporate says that it’s taking the incident “very critically” and has secured affected accounts from additional unauthorised entry, and is forcing customers to reset their passwords.
Clearly it would not be a good suggestion to make the identical mistake once more – so ensure that in case you are selecting a brand new password that it’s one that’s robust, impossible-to-guess and (maybe most significantly) not the identical as any password you might be utilizing elsewhere on the web.
I am unable to assist however really feel just a little bit sorry for Roku. Â It is Roku’s title and model being tarnished by this assault, however it may be argued that it is Roku’s customers who failed to use correct safety.
Credential-stuffing assaults succeed as a result of so many individuals nonetheless make the error of reusing the identical passwords somewhere else on the web.
Regardless of warnings, reusing passwords is unsafe behaviour – as a breached service’s password database can be utilized by hackers to entry different accounts.
That is to not say Roku is innocent. Â It nonetheless hasn’t, so far as I can see, supplied any type of two-factor authentication (2FA) for its customers, which is a standard approach to enhance account safety. One would hope Roku’s safety crew might need detected the anomalous conduct sooner, as a substitute of letting it proceed for months.
Roku says its safety crew continues to watch for suspicious exercise and urges customers to stay vigilant of the risk posed by id thieves. Customers with questions concerning the breach are requested to contact Roku by phone at 1-816-272-8106, or by e mail at [email protected].