Hackers have reportedly hacked more than 15,000 Roku user’s accounts and obtained their linked credit card details, and proceeded to try and buy additional subscription services in some cases, according to a report by BleepingComputer.
The hackers, who nabbed 15,363 customer accounts in total, have reportedly been trying to sell the details on dark web-based hacker forums, and they’re asking for as little as 50 cents per account. Of course, wannabe criminals will need to pay with an anonymous cryptocurrency to proceed.
According to BleepingComputer, the hackers used a technique known as “credential stuffing” to obtain the victims’ account details. This kind of attack relies on data that was previously exposed in prior breaches involving other services to try to log into different ones. So, the hackers will use someone’s login credentials for an application like Spotify, and see if they match the ones they use for Roku – it’s a fairly successful technique because many people are lazy, and use the same email and password for various accounts and services.
Once the hacker breaks in, they change the user’s password and email address to lock the genuine account owner out. The hacker can then use the credit card linked to the stolen account, without the owner receiving any emails confirming a purchase has been made.
This is dangerous for Roku users, as the company allows users to subscribe to other third-party services, such as Netflix, Disney+ and Paramount+, through their Roku accounts.
The company told BleepingComputer via email that it’s aware of the attack and that it has notified affected users, and forced them to reset their passwords. It is also taking steps to identify fraudulent charges, and promised it will refund anyone who lost out.
Users who’re worried they may have been affected by the breach can go directly to my.roku.com and reset their password by clicking on the relevant link. They can then review their credit card purchase history and stored credentials to ensure everything is okay.
Remember folks, it’s never a good idea to reuse the same password for multiple services. Although convenient, it leaves users much more vulnerable, as it only takes one account to be hacked, for all of the others to be compromised. If you’re not very good at remembering different passwords, you can always try a password manager tool.
The attack brings more bad press to Roku, coming just days after it made a controversial update to its dispute resolution policy, which reportedly left a number of users fuming. They’re angry because the company is forcing them to accept the new terms, under the threat of deactivating their Roku device.
