Roku, the popular streaming platform, recently disclosed a data breach resulting from a credential stuffing attack affecting over 15,000 customer accounts. The breach exposed credit card information & more.
A credential stuffing attack involves hackers using login information from previous data breaches to gain unauthorized access to accounts. In Roku’s case, hackers exploited system vulnerabilities and infiltrated user accounts with stolen credentials. Once inside, they changed login details, locking out genuine account owners.
The breach had severe consequences, with hackers gaining access to streaming subscriptions and making fraudulent purchases using stored credit card details unbeknownst to account holders. These stolen accounts were priced as low as $0.50 per account on hacking marketplaces, worsening the breach’s impact.
Below is a screenshot of one of these stolen accounts available for purchase on a black market website.
The seller even included details on accessing the stolen credentials and making purchases with the users’ credit card information.
Roku promptly responded to the breach by securing the compromised accounts, enforcing mandatory password resets, and investigating unauthorized purchases. Their goal is to help users regain control of their accounts and prevent further fraudulent activity.
Roku’s Response and Advice for Users
Roku informed affected users about the breach and secured the impacted accounts, stating their commitment to viewers’ privacy and security.
Roku observed suspicious activity on individual accounts potentially accessed by unauthorized actors using stolen login details. The breach stemmed from reused username/password combinations across third-party services and individual Roku accounts, enabling unauthorized access and alterations to login information.
After gaining access, unauthorized actors modified login details and attempted streaming subscription purchases, albeit in a limited number of cases.
Roku advised users to review their account activities, connected devices, and subscriptions to detect signs of fraudulent activity and safeguard their accounts. While significant actions were taken post-breach, Roku does not currently support two-factor authentication, which could further enhance account security by adding an extra layer of verification beyond credentials.
We emphasize online security and recommend anonymous payment methods like Bitcoin or Masked Credit Cards from providers such as Abine Blur.
BleepingComputer first reported Over 15,000 hacked Roku accounts sold for 50ยข each to buy hardware.
Share your views on Roku’s data breach in the comments below!
Stay updated on streaming and tech news with TROYPOINT Advisor delivering weekly updates on tips, reviews, and guides to maximize your streaming experience. Subscribe to TROYPOINT Advisor.