Never reuse passwords: It’s a golden rule of data security, and unfortunately for thousands of Roku users, it’s a lesson they learned the hard way.
Roku disclosed late last week that more than 15,000 accounts were hijacked, with the hackers using credit card info stored on the stolen accounts to buy streaming subscriptions, home theater and smart home hardware, and other items.
As Bleeping Computer reports, the hackers managed to gain access to the accounts not via a Roku data breach, but by using one of the oldest tricks in the book: credential stuffing.
This news story is part of TechHive’s in-depth coverage of the best media streaming devices.
Put simply, the hackers used stolen username and password combinations from a third party, and then plugged those credentials into other online services, hoping at least some of the accounts were accessible using the same passwords.
Roku was one of the targets, and it appears the hackers managed to crack roughly 15,000 Roku accounts using the compromised usernames and passwords.
Once they were in, hackers were able to change the Roku account holder’s password, e-mail address, and shipping details—and in a “limited number of cases,” they used stored credit card information to go on shopping sprees, according to Roku.
Additionally, Bleeping Computer spotted some of the stolen Roku accounts selling on “stolen account marketplaces” for “as little as” 50 cents each, as well as shared screenshots of fraudulently purchased Roku security cameras, light strips, remotes, and other wares.
Roku says it “secured” the hijacked accounts by forcing users to reset their passwords, and then canceled or refunded any suspicious purchases.
Roku promises that the hackers didn’t gain access to social security numbers, “full” payment account numbers, dates of birth, or other “sensitive” personal information.
The moral of the story: Always use unique (and strong) passwords for your accounts, including those for streaming services. And in case you’re wondering, here’s how to change your Roku password.
That said, Roku should do its part by rolling out two-factor authentication for its streaming accounts. (Roku does offer 2FA for its smart home app.)
This is the second time in recent days that Roku has made headlines for the wrong reasons.
Last week, Roku users took the streamer to task for threatening to lock them out of their Roku TVs and streaming devices until they accepted the company’s new dispute resolution terms.