Roku, a US streaming startup, has announced a data breach that affected more than 15,000 consumers. The compromised accounts were utilized to perform a number of fraudulent transactions.

Credential-stuffing attacks include threat actors gathering credentials that were exposed in data breaches and using them to get into other websites. In this instance, it was Roku.com.

The agency in charge of US cybersecurity was compromised.

According to Roku’s data breach notification (PDF), attackers hijacked Roku accounts using login and password combinations stolen from prior third-party attacks.

Some individuals use the same combination on other websites, including Roku. Threat actors were able to alter the information on the compromised accounts, including email addresses, passwords, and shipping addresses.

Thousands of customers were then locked out of their accounts, enabling threat actors to make purchases using saved credit card information while consumers received order confirmation emails.

“Unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts,” Roku said. The hijacking was detected in January 2024.

“After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.”

Roku said it has protected the compromised accounts and implemented a mandatory password reset after the incident. The site also looked into any fraudulent transactions by the hackers, terminated the illegal memberships, and reimbursed the account users.

Furthermore, “accessing the compromised Roku accounts did not give the unauthorized actors with

Stanford University attack exposes data of 27,000 individuals.

access to social security numbers, complete payment account numbers, dates of birth, or other sensitive personal information that requires notification,” the firm said.

Subscribers are urged to visit the Roku dashboard and examine their account activity and current subscriptions to ensure that everything is correct.

All of this might have been averted if Roku had implemented two-factor authentication, which would make it more difficult for threat actors to hack user accounts – but that is not available. Subscribers can only manually set up a PIN on their accounts, therefore no applications or purchases can be performed without it.

It’s worth noting that the data breach warning was sent shortly after Roku started requiring customers to agree to its new dispute-resolution rules, which effectively prevents a consumer from suing the business. Users have complained that they were unable to use their televisions unless they consented to the agreements.

source