Main points
- Roku reported that 15,363 customer accounts were compromised due to third-party service hackers having limited access to sensitive data.
- Hackers used credential stuffing attacks to change the passwords of affected accounts and purchase subscriptions.
- Affected Roku account holders should reset their passwords, monitor transactions, and use a password manager to ensure future security.
Roku, the creator of the affordable streaming set-top box and ad-supported Roku Channel, said 15,363 customer accounts were compromised between December 28, 2023, and February 21, 2024, as first reported by Bleeping Computer. Details are provided in documents filed with the attorneys general of California and Maine.
According to Roku, the account information was accessed through a third-party service that is not affiliated with Roku, just like account login information scraped from another hack or breach that also happened to work as a Roku login. This doesn’t give hackers access to highly sensitive information like Social Security numbers or credit card numbers, but it does allow them, in limited circumstances, to purchase subscriptions to streaming services like Max or Peacock.
Bleeping Computer identified the method used by the hackers as a “credential stuffing attack,” in which “threat actors collect credentials exposed in a data breach and then attempt to use them to log into other websites.” Once inside, hackers were able to change the passwords of the affected accounts and use them however they pleased.
To make things even trickier, they also tried to sell the stolen information on the stolen accounts marketplace for as little as 50 cents, according to Bleeping Computer. Roku has alerted anyone with an affected account via email (a notification letter is available here ), reset passwords for affected accounts, and has begun issuing refunds for unauthorized purchases. Whether you know your Roku account has been accessed without your knowledge or not, it’s not a bad idea to look for any unusual Roku transactions and change your password immediately.
Roku OS 12 update: What’s next for your Roku device?
Roku is rolling out a new version of its operating system to Roku devices worldwide. Here’s what it adds.
How to reset Roku password
It only takes a few minutes and is worth the effort
Resetting your Roku account password works much the same as any other online account, just make sure your email is handy.
- Open a web browser of your choice and go to my.roku.com.
- On the login page, select forget the password?
- Enter Your email address.
- Follow the reset link sent to your email and enter your new password.
How to find out if your account has been compromised
Companies in the United States are required by law to notify customers if their personal information has been compromised, so in most cases you’ll receive an email or letter notifying you if something goes wrong. Roku has reportedly notified those affected by the breach, so check your email or keep an eye out for letters in the mail. However, there are better ways to control breaches.
Most modern password managers will cross-reference your account details with known breaches to let you know if you have been affected. You can also try signing up for alerts from the popular breach notification site Have I Been Pwned, which will alert you whenever your information appears in any recent breaches.
While it’s a bit of a headache to solve such problems, and it feels unfair that the responsibility for keeping things safe falls primarily on the customer, it’s the reality of the world we live in. Using a password manager, creating accounts with different passwords for everyone, and implementing other security best practices can help ensure that your accounts are secure in the future, no matter what the company screws up.