Breakdown
- Over 15000 Roku accounts have had their credentials and credit card details stolen.
- Credit card details have been popping up on online marketplaces for sale.
- Roku is currently trying to control the damage done and owners should check if their details are still secure.
Roku is making the news once again for something it wouldn’t like, and this time it's a massive security breach of 15,363 accounts and their credit card information. The company issued a notice to customers stating that after login information was obtained by hackers, a “limited number” of attempts were made to purchase streaming subscriptions.
According to Roku, It’s likely that account information was obtained by the hackers through previous data breaches of third-party services. Such an attack is called credential stuffing, where hackers would take emails and passwords from other data breaches, and use these login credentials on another service, in this case Roku. Once the account is accessed, hackers change the password of the account gaining full control
As Roku also has the feature of managing all of your streaming services, it allows you to directly purchase the likes of Netflix, Hulu, Disney Plus, Max, etc. For this, the Roku app stores your credit card information to make further purchases easy. Bleeping Computer reports that the credit card information from these accounts is being sold for 50 cents per account on a hacking marketplace.
The fact that Roku doesn't store social security numbers, full payment account numbers, or dates of birth has been some form of consolation. According to the company, they have “secured the accounts from further unauthorized access” by asking for password resets. They say they are actively “working to cancel and refund unauthorized purchases”. We would suggest all Roku users visit Have I Been Pwned even if they haven't received a password reset request just in case to see if they were part of the breach. Or to just reset their password altogether.
Earlier Roku faced massive backlash when it made it mandatory to agree to its "Dispute Resolution Terms" making users unable to use their devices without agreeing to never go to court against the company over any matter.
BleepingComputer also suggests that the “Dispute Resolution Terms” and the ongoing credential stuffing attacks plus financial fraud being conducted through the hacked accounts are linked.
Meanwhile, check out how Apple is getting sued for smartphone monopoly and could it be time to pick up a Quest 2 to upgrade to the Quest 3 Lite?