A data breach impacting more than 15,000 consumers was revealed by streaming giant Roku. The attackers employed stolen login credentials to gain unauthorised access and make fraudulent purchases.
Roku notified customers of the breach last Friday, stating that hackers used a technique known as "credential stuffing" to infiltrate 15,363 accounts. Credential stuffing is the use of exposed usernames and passwords from other data breaches to attempt to enter into accounts on other services. These attacks started in December 2023 and persisted until late February 2024, as per the company.
Bleeping Computer was the first to reveal the hack, pointing out that attackers used automated tools to undertake credential-stuffing assaults on Roku. The hackers were able to bypass security protections using techniques such as specific URLs and rotating proxy servers.
In this case, hackers probably gained login credentials from previous hacks of other websites and attempted to use them on Roku accounts. If successful, they could change the account information and take complete control, locking users out of their own accounts.
The publication also uncovered that stolen accounts are being sold for as few as 50 cents each on hacking marketplaces. Purchasers can then employ the stored credit card information on these accounts to purchase Roku gear, such as streaming devices, soundbars, and light strips.
Roku stated that hackers used stolen credentials to acquire streaming subscriptions such as Netflix, Hulu, and Disney Plus in some instances. The company claims to have safeguarded the impacted accounts and required password resets. Furthermore, Roku's security team has discovered and cancelled unauthorised purchases, resulting in refunds for affected users.
Fortunately, the data breach did not compromise critical information such as social security numbers or full credit card information. So hackers should be unable to perform fraudulent transactions outside of the Roku ecosystem. However, it is recommended that you update your Roku password as a precaution.
Even if you were not affected, this is a wake-up call that stresses the significance of proper password hygiene. Most importantly, change your passwords every few months and avoid using the same password across multiple accounts whenever possible.