Thousands of Roku accounts hacked in credential stuffing attack


US streaming company Roku has disclosed a data breach that impacted more than 15,000 customers. The hacked accounts were used to make numerous fraudulent purchases.

In a credential-stuffing attack, threat actors gather credentials that were exposed in data breaches and use them to log into other websites. In this case, this was Roku.com.

According to Roku’s data breach notice (PDF), the cybercriminals hijacked Roku accounts by using login and password combinations leaked from previous hacks at third-party services.

ADVERTISEMENT

Some users use the same combination across multiple websites, including Roku. After breaching the accounts, threat actors were then able to change the information on them, including email addresses, passwords, and shipping addresses.

Thousands of users were then locked out of their account, allowing the threat actors to make purchases using stored credit card information with the users actually receiving order confirmation emails.

“Unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts,” said Roku, adding that it had discovered the hijacking in January 2024.

"After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.”

According to Antoine Vastel, Ph.D., VP of Research at online fraud and bot management company, DataDome, a full 81% of individuals reuse the same or similar passwords for multiple accounts so threat actors with access to a list of leaked credentials have an easy time finding valid login and password combinations.

"When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims. These often go undetected for a long time because logging in isn’t a suspicious action," said Vastel.

"It’s within the business logic of any website with a login page. Once a hacker is inside a user’s account, they have access to linked bank accounts, credit cards, and personal data that they can use for identity theft."

Roku says it has secured the breached accounts and applied a forced password reset after learning about the incident. The platform also investigated for any unauthorized purchases by the hackers, canceled the illegal subscriptions, and refunded the account holders.

ADVERTISEMENT

Besides, “access to the affected Roku accounts did not provide the unauthorized actors with access to social security numbers, full payment account numbers, dates of birth, or other similar sensitive personal information requiring notification,” said the company.

Subscribers have been advised to visit the Roku dashboard and review their account activity and active memberships to make sure everything is legitimate.

All this would have been avoided if Roku supported two-factor authentication to make it harder for threat actors to breach user accounts – but that’s not on offer. Subscribers can only manually set up a PIN on their accounts so that apps cannot be added and purchases can’t be made without the PIN.

It’s interesting that the data breach notice was issued not long after Roku began forcing users to opt into its new dispute-resolution terms, effectively preventing a consumer from suing the company. Users have been complaining that they couldn’t use their TVs unless they agreed to the terms.