Hackers used one of the oldest tricks in the book to turn a buck. All at the expense of several thousand Roku users.
Roku notified users that “certain individual Roku accounts” might have been accessed by someone other than their owners. The method of attack involved credential stuffing, where stolen passwords from one account are “stuffed” into other accounts. With this form of attack, a reused password in one account can give access to several others.
Roku discovered that was the likely cause here, affecting at least 15,000 users.[i]
“Through our investigation, we determined that unauthorized actors had likely obtained certain usernames and passwords of consumers from third-party sources (e.g., through data breaches of third-party services that are not related to Roku).”
So while Roku itself wasn’t breached, hackers used info from other data breaches to break into these accounts, which were sold online. Reportedly for as little as fifty cents each.
With access to the compromised accounts, thieves tried to purchase subscriptions and hardware using stored payment options.
Roku went on to say that these unauthorized actors didn’t get access to “social security numbers, full payment account numbers, dates of birth, or other similar sensitive personal information requiring notification.”
The company said it continues to monitor accounts for unusual activity and that it’s working with subscribers to refund any unauthorized charges.
It has also reset passwords for potentially affected account holders. The company directed users to visit my.roku.com and use the “Forgot password?” option on the sign-in page.
What can I do if I think I got caught up in the Roku breach?
While an estimated 15,000+ compromised accounts have been identified, the possibility remains that yet more might be at risk as well. Every Roku subscriber should check their account for unusual activity. From there, we suggest updating your password to a new password that’s both strong and unique.
With that, we recommend that you take the following steps, which can help prevent and halt any harm being done with your personal info.
Keep an eye out for phishing attacks.
With some personal info in hand, bad actors might seek out more. They might follow up a breach with rounds of phishing attacks that direct you to bogus sites designed to steal your personal info — either by tricking you into providing it or by stealing it without your knowledge. So look out for phishing attacks, particularly after breaches.
If you are contacted by a company, make certain the communication is legitimate. Bad actors might pose as them to steal personal info. Don’t click or tap on links sent in emails, texts, or messages. Instead, go straight to the appropriate website or contact them by phone directly.
In this case, head to my.roku.com and use the “Forgot password?” option as the company suggests.
Change your passwords and use a password manager.
Changing passwords now is a must. Strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager helps you keep on top of it all, while also storing your passwords securely. Moreover, changing your passwords regularly might make a stolen password worthless because it’s out of date.
Enable two-factor authentication.
While a strong and unique password is a good first line of defense, enabling two-factor authentication across your accounts helps your cause by providing an added layer of security. It’s increasingly common to see nowadays, where banks and all manner of online services will only allow access to your accounts after you’ve provided a one-time passcode sent to your email or smartphone. If your accounts support two-factor authentication, enable it.
Unfortunately at this time, Roku users don’t have this option available to them (although Roku does offer it for its smart home app).
Consider using identity monitoring, particularly for the dark web.
An identity monitoring service can monitor everything from email addresses to IDs and phone numbers for signs of breaches so you can take action to secure your accounts before they’re used for identity theft. Personal info harvested from data breaches can end up on dark web marketplaces where other bad actors buy it for their own attacks. Ours monitors the dark web for your personal info and provides early alerts if your data is found on there, an average of 10 months ahead of similar services. We also provide guidance to help you act if your info is found.
In the case of the Roku attack, the account thieves purchased compromised accounts on dark web marketplaces. Identity monitoring can help you spot that kind of activity, which then lets you know it’s time to change your passwords.
Check your credit, consider a security freeze, and get ID theft protection.
Although Roku said it found no evidence that account thieves gained access to further sensitive info, treat your info like it was anyway. Strongly consider taking preventive measures now. Checking your credit and getting identity theft protection can help keep you safe in the wake of a breach. Further, a security freeze can help prevent identity theft if you spot any unusual activity. You can get all three in place with our McAfee+ Advanced or Ultimate plans. Features include:
- Credit monitoring keeps an eye on changes to your credit score, report, and accounts with timely notifications and guidance so you can take action to tackle identity theft.
- Security freeze protects you proactively by stopping unauthorized access to existing credit card, bank, and utility accounts or from new ones being opened in your name. And it won’t affect your credit score.
- ID Theft & Restoration Coverage gives you $2 million in identity theft coverage and identity restoration support if determined you’re a victim of identity theft. This way, you can cover losses and repair your credit and identity with a licensed recovery expert.
Consider using comprehensive online protection.
A complete suite of online protection software can offer layers of extra security. In addition to more private and secure time online with a VPN, identity monitoring, and password management, it includes web browser protection that can block malicious and suspicious links that might lead you down the road to malware or a phishing scam — which antivirus protection can’t do alone. Additionally, we offer support from a licensed recovery pro who can help you restore your credit, just in case.
[i] https://apps.web.maine.gov/online/aeviewer/ME/40/e9cc298b-379b-47ba-a10d-e2263963b574.shtml