More Than 15,000 Roku Accounts Hacked; Thieves Use Data to Buy Streaming Subscriptions
The widespread data breach affected thousands of Roku users, whose accounts were hijacked with the intention of selling them.
The digitalization of media has led to several incredible advances, but it also creates more opportunities for hackers and criminals to get their hands on user data. Roku is now informing its customers of a new security breach that has affected more than 15,000 device owners. The revelation comes just days after Roku updated its terms of service to include a provision that compels users to settle legal disputes directly with the company’s lawyers; however, Roku claims that the two recent news items are not related.
- The data breach affected Roku owners from December through late February.
- The company says hackers acquired login data used by customers on multiple websites, including Roku.
- Roku says the breach had no part in the rollout of a new user agreement with enhanced protections from litigation for the company.
Roku has been informing customers who own its streaming players and smart TVs that between Dec. 28, 2023 and Feb. 21, 2024, hackers targeted 15,363 Roku customers. They broke into accounts using login information likely obtained from third-party sites; since many people use the same username and password for multiple online accounts at the same time, once a combination is discovered that works on another site or platform, criminals are able to try it in other places online, hoping for a match. Roku claims that this is how the hackers were able to get into the affected accounts.
“It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts,” Roku’s notification letter says. “As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.”
A follow-up report from Bleeping Computer indicates that the hackers began selling the stolen accounts for as little as $0.50 each, allowing buyers to use the acquired credit card data to buy streaming subscriptions and Roku hardware.
Roku says that it discovered the breach in January, and has reset the passwords of the affected accounts along with issuing refunds to any customers who saw their details used to make unauthorized purchases. The company also says hackers did not get access to “social security numbers, full payment account numbers, dates of birth, or other similar sensitive personal information.”
Did Hack Affect the Timing of Roku’s New User Agreement?
Roku first began notifying its customers about the data breach on Friday, March 8, just days after it first began updating its terms of service with new rules regarding litigation. Those terms have long prevented Roku device owners from joining or initiating lawsuits against the company, but the updated version directs customers with legal complaints against Roku to engage in arbitration with the business’s lawyers instead of pursuing other legal action.
Many users have recently discovered that they cannot use their Roku device to stream content unless they agree to the new terms of service first, and the company has made it unusually difficult to opt out of those guidelines. Nevertheless, Roku has informed PC Mag that the rollout of this updated user agreement has nothing to do with the timing of the security breach.
Whether the introduction of the new terms of service was timed to get users to agree to decrease their own legal leverage before being told of a large-scale data breach or not, the end result is certainly favorable for Roku. It now has multiple barriers of protection against being sued for this security lapse, even though the company is primarily laying the majority of the blame at the feet of affected customers anyway.
Roku is urging all customers to ensure their password for Roku is unique, though it doesn’t appear to be rolling out two-factor authentication or other enhanced security measures to help customers keep their accounts safe. This should serve as a good reminder for streaming viewers to use different passwords for all their platforms, as their payment information could be vulnerable otherwise.
Roku Channel
The Roku Channel is a free live TV streaming service that provides 350+ live linear streaming channels and more than 80,000 free movies and TV shows. The library contains entertainment from several different decades, including some major hits.