Features, settings & updates

Get troubleshooting tips to configure your Roku settings. The community forum has tips for screen mirroring, Guest Mode, software updates, audio, and more.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
atc98092
Community Streaming Expert

Re: Roku customer data hacked and sold


@RockOn wrote:


External source https://finance.yahoo.com/video/roku-576k-accounts-hacked-second-165955992.html reports this today 04/14/2024: Roku: 576K accounts hacked in second data breach of 2024


I've now read more detailed information. Roku was NOT "hacked". Other sites were hacked and login credentials were stolen from "those" sites. If someone's credentials that were stolen were the same as they used on the Roku site, then they simply logged into the Roku account as if they were the real user. No one can protect an account from something like that unless they use two factor authentication. And Roku just implemented 2FA, forcing us to receive an email to the registered account address to complete login. And of course that will only keep someone out if they don't also have the password to the email account. 

Using the same password on numerous web sites is dangerous, as this has demonstrated. But Roku was not at fault for any of it, unless you want to fault them for not deploying 2FA sooner. No data was stolen from Roku. Some services were charged to users Roku accounts, but Roku has refunded any such charges. Personal information, such as complete credit card numbers, were not stolen. And considering the uproar that has happened because they now implemented it, even after the publicity of this attack, shows people simply don't want to bother with increased security. But unfortunately we now have to accept 2FA to help keep our accounts safer. 

Dan

Roku Community Streaming Expert

Help others find this answer and click "Accept as Solution."
If you appreciate my answer, maybe give me a Kudo.

I am not a Roku employee, just another user.
RockOn
Channel Surfer

Re: Roku customer data hacked and sold

Thanks, Dan. I understand your explanation. The hackers stole credentials from a different site, not from Roku. Only the credentials that were identical between that site and Roku became vulnerable to this credential stuffing attack.

I'm grateful to learn from you that Roku sent email yesterday to notify impacted users, implemented 2FA to keep our accounts safer, and refunded unauthorized charges.

0 Kudos
RICKART
Newbie

Re: Did anyone hear of the Roku Hack

HOW TO GEEK  is along time email subscription who is reporting:

"Roku will enforce mandatory two-factor authentication (2FA) on all accounts following security breaches that affected approximately 591,000 user accounts earlier this year. The breaches, apparently occurred in two separate incidents, with the first impacting 15,363 accounts and prompting closer monitoring of account activity in March. The company then discovered a much bigger breach affecting about 576,000 accounts. Less than 1% of all Roku accounts were affected by the breach, but due to the massive scale of Roku's installation base, that's still a lot of people. "

THEYRE ADVISING ALL ROKU ACCONTS TO CHANGE PW IMMED.

 

0 Kudos
atc98092
Community Streaming Expert

Re: Did anyone hear of the Roku Hack

@RICKART all true, but missing one critical detail. The breaches did not happen on Roku servers. The breaches occurred on other sites, which did provide the thieves with stolen login credentials to that specific site. The issue is people often use the same user credentials on different sites, and that's what happened at Roku. The credentials stolen from other sites would work on the Roku site. Roku themselves did not lose any personal information, such as complete credit card info. By implementing 2FA, even if they have the correct credentials they cannot successfully log into the Roku account since they would also have to have access to the stolen email account as well. 

Dan

Roku Community Streaming Expert

Help others find this answer and click "Accept as Solution."
If you appreciate my answer, maybe give me a Kudo.

I am not a Roku employee, just another user.
0 Kudos
DanUK
Binge Watcher

Roku Hack response is really bad practice

This is really bad practice, the very first thing you do is email customers and explain why you are doing a forced password reset.

I love it how companies try to say only X accounts were affected when the reality is they probably have no idea what hackers were able to obtain.

I do feel that it is irresponsible for users to use the same password on two sites where there is a potential for a financial loss, but there seems to me more to this story.

The only way to protect your data is not to provide it in the first place.  I did not provide my credit card information and based on some of the things I have found out about Roku snooping on my usage it is clear I made the right decision.  On other sites I try to trade at arms length, for example with Apple I removed my card details and only use Apple Gift cards that I buy in supermarket on online from 3rd parties.   

I do not use the same credentials with Amazon Echo and Ring devices, none of them are given my true location although I am well aware that Amazon can determine this from neighbours via their mesh network so have taken steps to prevent that.

I don't let any organisation use my wifi and my ISP uses random IP's from their network of data centres, I have my router shut off for an hour overnight to ensure a new one each day.  I used different browsers for different purposes, nothing secure is used on the browser I am using to access this website.  

I do not even provide the same email address to two different organisations never mind the same password, I generate new passwords for every site.  So no crumbs and any security issues only affect the single company.  

Sadly these and other steps are necessary in these days of hackers and sloppy corporations. I suspect that the haveibeenpwned website will be updated with this alleged hack in due course.  That was where I found out my accounts details at Amazon and eBay had been stolen.  I do not store CC information with either nor allow paypal charges without TFA on a separate dedicated phone.

We have to take some responsibility to protect our data, such as not providing it unless absolutely necessary, but still I would have liked it if Roku had informed me.

0 Kudos