The attackers likely obtained username and password combinations exposed in previous breaches of other online platforms. They then used automated tools to try these stolen credentials across Roku accounts in a systematic way, bypassing security measures with tactics like using specific URLs and rotating proxy servers.
If the credential stuffing was successful on a Roku account, the hackers could change the login details, locking the legitimate user out of their own account. With full control, they could then view stored payment information and make unauthorized purchases.
Extent of the Damage
Base statistics of the incident are officially recorded as a data breach notification, tipped by Roku, and posted on the Office of the Maine Attorney General website. Aside from that, according to the initial report, some compromised Roku accounts are being sold on hacking forums and marketplaces for as little as 50 cents each.
Roku has confirmed that in some cases, the attackers used the hijacked accounts to subscribe to streaming services like Netflix, Hulu, and Disney+, charging the associated payment methods on file. The company states it has now secured all affected accounts, forcing password resets and canceling any unauthorized purchases. Roku is also initiating refunds for impacted customers.
Thankfully, at least sensitive data like whole credit card numbers and social security details were not exposed, limiting the damage to Roku’s ecosystem.
A Stark Password Reuse Reminder
While the breach is concerning for Roku users, it serves as a stark reminder of the severe risks of reusing passwords across multiple online accounts. Credential stuffing attacks exploit this poor password hygiene habit, allowing hackers to pivot across various platforms and services with a single set of stolen login credentials.
Security experts have reiterated the importance of using unique, hard-to-guess passwords for each account to mitigate such attacks. Password manager tools, for example, can help generate and store strong, randomized passwords conveniently.
Additionally, users must stay vigilant against phishing attempts to trick them into entering their login information on fake websites. Always verify the authenticity of login pages and never click suspicious links, especially those received via email or text.
Taking Responsibility
In the aforementioned data breach notification filing, Roku has taken responsibility for the incident, stating that “unauthorized individuals using account credentials believed to have been obtained from third-party source(s) were used to access individual customer accounts.”
The company is now facing scrutiny over its security practices and whether additional measures could have been implemented to detect and prevent credential stuffing on such a widespread scale.
