Roku said the hackers likely obtained account information exposed in a previous data breach at a third-party service. This attack, known as credential stuffing, involves hackers taking emails and passwords exposed in a data breach and trying to combine them on other services. Once they gained access to an account, Roku hackers changed the login information for some accounts, gaining full control.
If the account had credit card information stored, hackers could also purchase subscriptions to services like Netflix, Max, Paramount Plus, Hulu, Peacock, Disney Plus, and more within Roku. Computer beeps Hackers have also been found selling stolen information on hacker marketplaces for around 50 cents per account.
One saving grace is that Roku accounts don’t reveal Social Security numbers, fully paid account numbers, or dates of birth. Roku said it has since asked affected users to reset their passwords “to secure accounts from further unauthorized access.” It also works to cancel and refund unauthorized purchases. Even if you haven’t been affected by this data breach, it’s still worth checking HaveIBeenPwned to see if any of your credentials have been compromised recently. There’s no harm in changing your Roku password.