Roku Data Breach 28 Dec 2023 - 21 Feb 2024
From Office of the Maine @torney General Data Breach Notifications: Date(s) Breach Occured: 12/28/2023 - 2/21/2024 Date Breach Discovered: 1/4/2024 - 2/21/2024 From Over 15,000 hacked Roku account...
Forum Discussion
Modern strong authentication mechanisms used in or as multi-factor or two-factor authentication (MFA, 2FA) include Passkeys (a.k.a. WebAuthn), Tokens (e.g. YubiKey), and Time-based One Time Password (TOTP, a.k.a. your "authenticator app"). These are well supported by popular password managers and other tools.
Less robust second factor authentication methods include sending codes by email or SMS [Strongly discouraged].
For sites and services which only use weak password authentication, breaches provide access to accounts for anyone with access to the breach data. The best resource for information on breaches and checking your email (or domain) is Troy Hunt's Have I Been Pwned (HIBP).
I for one am flabbergasted as to why ROKU DOES NOT UTILIZE MFA/2FA etc to secure accounts! It is inexcusable and should be implemented. Now, more than ever. if you are concerned with end users not being able to log in with their TV, box etc, then enable what other sites do, a nice little link to join where you enter a predefined code on the TV to pair it once the user is logged in.
SERIOUSLY ROKU! Get with the program!!!! (No Pun intended)
After the "second incident, which impacted approximately 576,000 additional accounts." reported in the forth paragraph of the disingenuously titled Protecting your Roku account, instead of adopting any of the common, reliable, well-supported and secure 2FA/MFA options, Roku has forced the inconvenient code-via-plaintext-email on all accounts with no option to disable it.
An alternative of the static "last 5 characters of the device ID" from any (presumably owned) Roku device is provided. While not comparable to a good modern authentication method, it does satisfy the something-you-know where that something is not widely known (such as a Social Security Number). Testing this, I found
- Roku Ultra (4800 series):This device ID does not match our records.
- Roku Ultra (4640 series) :This device ID does not match our records.
- Roku Streaming Stick + (3810, 3811 series) : This device ID does not match our records.
I did not bother powering on the Roku Premiere+ (4630 series) to test it. All these devices show up on my Dashboard.
The page offers, "Need help? Visit Roku customer support.", but instead of customer support, it's How to change your password or email for your Roku account.
