Roku Data Breach 28 Dec 2023 - 21 Feb 2024
From Office of the Maine @torney General Data Breach Notifications: Date(s) Breach Occured: 12/28/2023 - 2/21/2024 Date Breach Discovered: 1/4/2024 - 2/21/2024 From Over 15,000 hacked Roku account...
Forum Discussion
Modern strong authentication mechanisms used in or as multi-factor or two-factor authentication (MFA, 2FA) include Passkeys (a.k.a. WebAuthn), Tokens (e.g. YubiKey), and Time-based One Time Password (TOTP, a.k.a. your "authenticator app"). These are well supported by popular password managers and other tools.
Less robust second factor authentication methods include sending codes by email or SMS [Strongly discouraged].
For sites and services which only use weak password authentication, breaches provide access to accounts for anyone with access to the breach data. The best resource for information on breaches and checking your email (or domain) is Troy Hunt's Have I Been Pwned (HIBP).
After the "second incident, which impacted approximately 576,000 additional accounts." reported in the forth paragraph of the disingenuously titled Protecting your Roku account, instead of adopting any of the common, reliable, well-supported and secure 2FA/MFA options, Roku has forced the inconvenient code-via-plaintext-email on all accounts with no option to disable it.
An alternative of the static "last 5 characters of the device ID" from any (presumably owned) Roku device is provided. While not comparable to a good modern authentication method, it does satisfy the something-you-know where that something is not widely known (such as a Social Security Number). Testing this, I found
- Roku Ultra (4800 series):This device ID does not match our records.
- Roku Ultra (4640 series) :This device ID does not match our records.
- Roku Streaming Stick + (3810, 3811 series) : This device ID does not match our records.
I did not bother powering on the Roku Premiere+ (4630 series) to test it. All these devices show up on my Dashboard.
The page offers, "Need help? Visit Roku customer support.", but instead of customer support, it's How to change your password or email for your Roku account.
