The data breach compromised more than 15,000 Roku accounts, in some cases allowing “fraudsters” to access customers' stored financial information.
The company disclosed the attack Friday in a filing with the attorneys general's offices in Maine and California, noting that it discovered and investigated the breach between January 1 and February 21. However, the breach began on December 28, 2023.
Roku said in a notice to affected customers that it appears the hacker obtained thousands of logins using the same username and password combination from a third-party source. So this may not be a hack into the Roku system itself, but rather the result of hackers discovering compromised credentials in other companies' data breaches and checking to see if the same logins are being used on Roku. .
After gaining access, the hackers changed affected customers' login information and, in some cases, attempted to use the stored credentials to purchase streaming subscriptions, the company said.
However, Bleeping Computer, which first reported the breach, said the financial information was not obtained simply to purchase a Netflix account. According to this publication, the hacker hacked some of the stolen information on his marketplace where he sells it for just $0.50 per account and allows buyers to access the financial data stored in each profile. It is said that it was found that
Fortunately, the “fraudsters” did not obtain any payment account numbers, Social Security numbers, dates of birth or other similarly sensitive personal information, Roque said.
The company then informed affected customers that it is now protecting their accounts from further unauthorized access by requiring each account holder to reset their password. Roku also said it investigated account activity to see if the hackers had been charged subscription fees, and if so, canceled and refunded them.
Although the number of affected accounts (15,363) is a small number compared to Roku's 80 million active user accounts last year, if you're concerned that your account was affected, you can create a password at my.Roku.com. The company recommends resetting the . We also recommend that you review the subscriptions and devices linked to your account and constantly monitor account activity for fraudulent activity.