Share this article on:
TV streaming service Roku has revealed that hackers have breached its systems and hijacked the accounts of over 15,000 users.
According to Roku, the threat actors behind the incident targeted users of the service in a credential stuffing attack from 28 December 2023 to 21 February 2024.
For those unaware, a credential stuffing attack is when hackers automate the entry of usernames and passwords into login pages in an effort to gain access. These credentials are often stolen in prior cyber attacks or purchased from other threat actors.
“Roku’s security team recently observed suspicious activity indicating that certain individual Roku accounts may have been accessed by unauthorised actors,” said Roku in its data breach notice.
“We conducted an investigation to identify affected accounts, determine the scope of the unauthorised activity, protect affected accounts from further unauthorised access, identify the legitimate account holders, and identify any personal information [that] may have been compromised.
“Through our investigation, we determined that unauthorised actors had likely obtained certain usernames and passwords of consumers from third-party sources (e.g., through data breaches of third-party services that are not related to Roku).
“It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts.”
According to Roku’s notice to the Office of the Maine Attorney General, 15,363 Roku users were affected by the breach.
By gaining access to user accounts, threat actors were able to change account information such as passwords, email addresses, and shipping addresses.
This locked the users out of their accounts and, in some cases, resulted in the threat actors making subscription purchases with the stored credit card details. These purchases were reportedly identified and cancelled, with account owners being refunded.
According to BleepingComputer, the threat actors behind the breach are also selling Roku accounts for as little as 50¢ each.
The threat actor has listed the accounts for sale, giving potential purchasers instructions on how to purchase goods such as cameras, streaming boxes, remotes, light strips, soundbars, and more from Roku.
Many of the purchasers of these accounts have shared screenshots of their successful orders.
While the company’s breach notice fails to detail exactly what data, if any, was exfiltrated in the breach, it has said that access to Roku accounts did not provide the threat actors with sensitive data such as social security numbers, full payment details, birth dates, or “similar sensitive personal information requiring notification”.
Recovering Roku accounts is likely to be a difficult task as the company does not support two-factor authentication, which would have prevented account access for threat actors with stolen credentials.