If you use a Roku account, make sure you secure it: Hackers recently targeted over 15,000 users of the TV streaming platform to buy unauthorized subscriptions.On Friday, Roku notified authorities in California and Maine about the data breach, which ensnared 15,363 US residents. The hackers targeted Roku users from Dec. 28, 2023, to Feb. 21, 2024. According to the company’s data breach notice, the cybercriminals likely hijacked the Roku accounts by using login/password combinations leaked from previous hacks at third-party services.Since some users like to use the same login/password combinations across multiple websites, the leaked credentials gave the hackers a way to break into the affected Roku accounts. “After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions,” the company said. BleepingComputer adds that the hackers were likely taking over the Roku accounts with the goal of selling access to them for as little as $0.50. In return, buyers could make fraudulent purchases with the accounts, including Roku streaming devices and peripherals. Roku discovered the hijacking in January. In response, the company identified the affected accounts, reset their passwords, and canceled the purchased streaming subscriptions, if any were made. The company also issued refunds for unwanted purchases.“Finally, our team continues to actively monitor for signs of suspicious activity, to ensure that all customer information and data is kept secure,” Roku added. No payment card data, birth dates, or Social Security numbers were exposed during the incident.
Recommended by Our Editors
The company issued the data breach notice over a week after the company began forcing users to opt into its new dispute-resolution terms, which can prevent a consumer from suing the company. To force users to agree, Roku has been displaying a pop-up on its TVs that can effectively disable the device unless the user opts in to the new dispute-resolution terms.However, Roku told PCMag that the new data breach disclosure has nothing to do with the dispute resolution terms. The company’s data breach notice is urging affected users to secure their accounts using a unique password. However, it doesn’t appear Roku offers any two-factor authentication to make it harder for hackers to breach user accounts.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.