Roku has suffered a massive data breach, with as many as 15,363 customers affected and their data stolen, including credit card information, passwords, and usernames.
Roku announced the breach in a public memo sent to customers dated March 8th, citing various information on what happened and what the company is doing to combat the issue.
According to BleepingComputer, the purported hackers who not only stole the data but used it to buy into streaming platforms and other products also sold off stolen Roku accounts for just $0.50 per individual user.
Roku stuffing attack
Threat actors involved in the Roku data breach targeted Roku.com itself using so-called SilverBullet or Open Bullet 2 cracking tools. These allow hackers access into locked accounts by way of credential stuffing on Roku’s website, thereby allowing them to change the passwords and collect all of the valuable information associated with the account, including credit cards, emails, shipping addresses, and more.
Once in control of an account, threat actors can use the stolen information fraudulently — in this case buying up streaming subscriptions and other hardware via Roku’s Shopify integration.
According to BleepingComputer's sources, the threat actors that targeted Roku were actively engaging in the mass breach for several months utilizing imported custom configuration files, or simply custom configs, and a variation of proxy servers to bypass captchas and other protective resources.
Several of these stolen Roku accounts were discovered on a variety of account marketplaces for as low as $0.50. At the time of writing, as many as 440 accounts have been sold, with details on how fraudulent buyers can utilize the provided information for nefarious purposes, most notably to buy light strips, remotes, soundbars, cameras, and more using stolen credit cards.
Account holders affected by the data breach are requested by Roku to visit “my.roku.com” and to reset their password using the “Forgot password?” tool. Once you have accessed your account, ensure that all of your information, including connected devices and active subscriptions, are in order via the Roku dashboard.
Roku’s data breach statement
Roku has addressed the issue in a memo to its customers sent out on Friday of last week. The company details how “unauthorized actors were able to obtain login information from third-party sources” and that said threat actors were then able to alter “Roku logins for the affected individual Roku accounts.”
Although Roku has stated that it secured all impacted accounts and has enforced a password reset wherever possible following the incident, without any two factor authentication on even the best Roku devices and services, it’s quite a conundrum to face for its customers.
It’s best to ensure that all of your passwords across services are altered following the breach and to contact your banks to keep your credit cards secure. It’s a bit more complicated for stolen address information, but you’ll be sleeping soundly given threat actors won’t be able to access your other accounts and credit cards.
Roku’s data breach comes on the heels of a rather problematic user agreement change, which disallowed users access to their TVs until accepting the new policy. The breach is in no way connected to these changes, but highlights many problems currently under the Roku banner — despite the firm’s OS being hailed as the number one selling TV OS in the US.