Forum Discussion

AJCxZ0's avatar
AJCxZ0
Streaming Star
2 years ago

Roku Data Breach 28 Dec 2023 - 21 Feb 2024

From Office of the Maine @torney General Data Breach Notifications:

Date(s) Breach Occured: 12/28/2023 - 2/21/2024
Date Breach Discovered: 1/4/2024 - 2/21/2024

From Over 15,000 hacked Roku accounts sold for 50¢ each to buy hardware - 11 Mar 2024,

Update 3/11/24: After the publication of our article, Roku disputed what we we were told, stating that the new Dispute Resolution Terms are not related to the hacked accounts and fraudulent acitivities.

See Roku disables players and TVs with attempt to coerce arbitration agreement for reference.

Roku hackers breach 15,000 accounts and are selling them online 12 Mar 2024

Thousands of Roku accounts hacked including credit cards — what you need to know 12 Mar 2024

Over 15,000 Roku Accounts Hacked & Sold Online to Use Peoples Saved Credit Cards 11 Mar 2024

There is much similar reporting by many other outlets.

tv & player features

5 Replies

  • AJCxZ0's avatar
    AJCxZ0
    Streaming Star
    2 years ago

    Modern strong authentication mechanisms used in or as multi-factor or two-factor authentication (MFA, 2FA) include Passkeys (a.k.a. WebAuthn), Tokens (e.g. YubiKey), and Time-based One Time Password (TOTP, a.k.a. your "authenticator app"). These are well supported by popular password managers and other tools.

    Less robust second factor authentication methods include sending codes by email or SMS [Strongly discouraged].

    For sites and services which only use weak password authentication, breaches provide access to accounts for anyone with access to the breach data. The best resource for information on breaches and checking your email (or domain) is Troy Hunt's Have I Been Pwned (HIBP).

    • pdxviewer's avatar
      pdxviewer
      Binge Watcher
      2 years ago

      I for one am flabbergasted as to why ROKU DOES NOT UTILIZE MFA/2FA etc to secure accounts!  It is inexcusable and should be implemented.  Now, more than ever.  if you are concerned with end users not being able to log in with their TV, box etc, then enable what other sites do, a nice little link to join where you enter a predefined code on the TV to pair it once the user is logged in. 

       

      SERIOUSLY ROKU!  Get with the program!!!! (No Pun intended)

    • AJCxZ0's avatar
      AJCxZ0
      Streaming Star
      2 years ago

      After the "second incident, which impacted approximately 576,000 additional accounts." reported in the forth paragraph of the disingenuously titled Protecting your Roku account, instead of adopting any of the common, reliable, well-supported and secure 2FA/MFA options, Roku has forced the inconvenient code-via-plaintext-email on all accounts with no option to disable it.

      An alternative of the static "last 5 characters of the device ID" from any (presumably owned) Roku device is provided. While not comparable to a good modern authentication method, it does satisfy the something-you-know where that something is not widely known (such as a Social Security Number). Testing this, I found

      1. Roku Ultra (4800 series):This device ID does not match our records.
      2. Roku Ultra (4640 series) :This device ID does not match our records.
      3. Roku Streaming Stick + (3810, 3811 series) This device ID does not match our records.

      I did not bother powering on the Roku Premiere+ (4630 series)  to test it. All these devices show up on my Dashboard.

      The page offers, "Need help? Visit Roku customer support.", but instead of customer support, it's How to change your password or email for your Roku account.

  • StopTheFomo's avatar
    StopTheFomo
    Channel Surfer
    2 years ago

    Roku is correct in saying that the new TOS is unrelated to the recent data breach HOWEVER, what I believe is subject to suspicioun is the timing of the "forced" acceptance of the new TOS days before the official disclosure of the data breach:

      2023: Roku completes new TOS 

      January 2024: Breach discovered

      March 5: Forced acceptance of new TOS

      March 8: disclosure of data breach

    It's not so much the new TOS (all companies update their TOS to their benefit) but rather the forced acceptance mechanism days before the disclosure of the breach. I'm questioning whether this unexpected and unusual manner of coercion is indeed related to the disclosure, and that should be the query.

  • Hakemon's avatar
    Hakemon
    Channel Surfer
    2 years ago

    That's it, I'm reaching out to "my contact" to see what options I have.

    I am livid for being this violated.  I advise all of you to do the same to see what our options are.  Do NOT listen to armchair people here, they are not "your contact".  Only listen to your contact.