Streaming firm Roku has revealed that over 15,000 prospects’ accounts had been hacked utilizing stolen login credentials from unrelated information breaches.
In information breach notices to the Attorneys Normal for Maine and California, Roku mentioned hackers accessed the accounts of 15,363 US residents in a marketing campaign that lasted from December 28, 2023, to February 21, 2024.
The assaults labored as a result of some Roku account homeowners had made the error of utilizing the identical passwords on Roku as on a number of different web sites. This gave those that had gained entry to previous information breaches a straightforward technique to break into Roku accounts and lock out real customers.
“After gaining entry, they then modified the Roku login info for the affected person Roku accounts, and, in a restricted variety of circumstances, tried to buy streaming subscriptions,” defined Roku.
As Bleeping Pc describes, cybercriminals have been promoting entry to the hijacked accounts for as little as 50 cents every.
Hijacked accounts can then be used to buy different gadgets from Roku, utilizing saved bank card particulars.
Roku claims that entry to the affected Roku accounts didn’t enable the hackers to entry social safety numbers, full cost account numbers, dates of beginning, or different related delicate private info.
The corporate says that it’s taking the incident “very significantly” and has secured affected accounts from additional unauthorised entry, and is forcing customers to reset their passwords.
Clearly it would not be a good suggestion to make the identical mistake once more – so ensure that in case you are selecting a brand new password that it’s one that’s sturdy, impossible-to-guess and (maybe most significantly) not the identical as any password you’re utilizing elsewhere on the web.
I am unable to assist however really feel slightly bit sorry for Roku. It is Roku’s title and model being tarnished by this assault, however it may be argued that it is Roku’s customers who failed to use correct safety.
Credential-stuffing assaults succeed as a result of so many individuals nonetheless make the error of reusing the identical passwords in other places on the web.
Regardless of warnings, reusing passwords is unsafe behaviour – as a breached service’s password database can be utilized by hackers to entry different accounts.
That is to not say Roku is innocent. It nonetheless hasn’t, so far as I can see, provided any type of two-factor authentication (2FA) for its customers, which is a typical manner to enhance account safety. One would hope Roku’s safety staff may need detected the anomalous conduct sooner, as a substitute of letting it proceed for months.
Roku says its safety staff continues to watch for suspicious exercise and urges customers to stay vigilant of the risk posed by identification thieves. Customers with questions concerning the breach are requested to contact Roku by phone at 1-816-272-8106, or by electronic mail at [email protected].
