Streaming giant Roku disclosed a data breach impacting over 15,000 customers, with hackers exploiting stolen login credentials to gain unauthorized access and make fraudulent purchases. The breach, which involved a technique known as "credential stuffing," allowed attackers to infiltrate 15,363 accounts between December 2023 and late February 2024.
As reported by Bleeping Computer, the breach involved hackers utilizing automated tools to conduct credential-stuffing attacks against Roku, bypassing security measures with tactics such as specific URLs and rotating proxy servers. It's suspected that attackers obtained login credentials from previous breaches of other online services and attempted to use them on Roku accounts, potentially gaining full control over compromised accounts.
Stolen accounts are reportedly being sold for as little as 50 cents each on hacking marketplaces, with purchasers potentially using stored credit card information to buy Roku hardware and streaming subscriptions like Netflix, Hulu, and Disney Plus.
In response, Roku has secured affected accounts and forced password resets, while also identifying and cancelling unauthorized purchases and initiating refunds for impacted customers. Fortunately, sensitive information like social security numbers or full credit card details was not exposed in the breach, limiting the potential for fraudulent transactions outside of the Roku ecosystem.
As a precautionary measure, Roku advises all users to change their passwords, emphasizing the importance of strong password hygiene. This incident serves as a reminder to regularly update passwords and avoid reusing them across multiple accounts to enhance security.