Wednesday, March 13, 2024

Roku credit card breach

When I posted yesterday about how to remove credit card information from your Roku account, I hadn't heard about the data breach.

Now, I wish I had posted it earlier. I had it ready to go a while back, but kept putting it off. I'm sorry I waited.

As far as I know, I wasn't impacted by the Roku data breach, as I've not received a notification that I understand they sent to those impacted. Maybe they just haven't gotten to me yet, but I'm guessing I wasn't actually impacted.

According to reports, some 15,000 Roku accounts were compromised. Roku has 80-million user accounts, so the number is actually a small percentage. That doesn't make it okay, just that it's unlikely I'm impacted. 

Bleeping Computer says Roku announced the breach on March 8:

On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack.

A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case,

The company says that once an account was breached, it allowed threat actors to change the information on the account, including passwords, email addresses, and shipping addresses.

This effectively locked a user out of the account, allowing the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.

"It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts," reads the data breach notice.

"As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts."

"After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.

Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident.

Since I can log into Roku without having to reset my password, I assume I wasn't impacted.

I don't like the way Roku has handled this. They're downplaying it, and that's not good. Any data breach is bad. If someone's account is compromised because they have an easy password, then that's not Roku's fault. But if the Roku systems were breached, that is Roku's fault, and that's inexcusable. No reputable company should experience that type of data breach.

My Streaming Life has involved Roku since 2010. The recent actions of the company have disappointed me greatly.

No comments:

Post a Comment

Your comments are welcome. Abusive or off-topic comments will be removed.