Ryan Haines / Android Authority
long story short
- More than 15,000 Roku accounts were compromised due to stolen login credentials.
- Hackers can access stored credit card information and use it for fraudulent transactions.
Streaming giant Roku has disclosed a data breach affecting more than 15,000 customers. Hackers use stolen login credentials to gain unauthorized access and make fraudulent purchases.
Roku notified consumers of the breach on Friday, revealing that hackers used a technique called “credential stuffing” to penetrate 15,363 accounts. Credential stuffing involves using usernames and passwords exposed in other data breaches to try to log into accounts on different services. According to the company, the attacks began in December 2023 and continued until late February 2024.
Computer beeps first reported the vulnerability, noting that the attackers used automated tools to conduct credential stuffing attacks against Roku. Hackers are able to bypass security measures through strategies such as specific URLs and rotating proxy servers.
In this case, hackers may have obtained login credentials previously exposed in breaches of other online services and attempted to use them on Roku accounts. If successful, they can change account information and gain full control, locking people out of their accounts.
The publication further found that stolen accounts were being sold on hacker markets for as little as 50 cents each. Buyers can then use the credit card information stored in these accounts to purchase Roku hardware, such as streaming devices, soundbars, and light strips.
Roku confirmed that in some cases, hackers used stolen credentials to purchase streaming subscriptions for Netflix, Hulu, and Disney Plus. The company said it has secured affected accounts and forced them to reset their passwords. Additionally, Roku’s security team has identified and canceled unauthorized purchases and initiated refunds for affected customers.
Fortunately, the data breach did not expose sensitive information such as Social Security numbers or full credit card details. Therefore, hackers should not be able to conduct any fraudulent transactions outside the Roku ecosystem. However, as a precautionary measure, it is recommended that you change your Roku password.
Even if you’re not affected, this is a wake-up call and highlights the importance of strict password hygiene. Most importantly, change your passwords every few months and avoid using the same password for multiple accounts if possible.