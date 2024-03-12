Key Takeaways Roku reports 15,363 customer accounts breached due to a third-party service hack with limited access to sensitive data.

Hackers used a credential stuffing attack to change passwords and purchase subscriptions on affected accounts.

Affected Roku account holders should reset passwords, monitor transactions, and use password managers for future security.

Roku, the creator of affordable streaming set-top boxes and the ad-supported Roku Channel, disclosed that 15,363 customer accounts have been breached, sometime between Dec. 28, 2023 and Feb. 21, 2024, as first reported by Bleeping Computer, and detailed in filings to the State Attorney Generals of California and Maine.

According to Roku, the account information was accessed via a third-party service not affiliated with Roku, as in account log-in information scraped from another hack or breach that happened to also work as a Roku login. This didn't give the hackers access to highly sensitive information like social security numbers or credit card numbers, but in a limited number of cases, did allow them to purchase subscriptions to streaming services like Max or Peacock.

Bleeping Computer identifies the method the hackers used as a "credential stuffing attack" in which "threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites." Once they were in, the hackers were able to change the password of affected accounts and then used them as they pleased.

The added wrinkle, according to Bleeping Computer, is that they are also attempting to sell the stolen information on a stolen account marketplace for as little as 50 cents. Roku has alerted anyone who has an affected account via mail (the notification letter is available here), reset the passwords of affected accounts, and is beginning to refund unauthorized purchases. Whether you know your Roku account has been accessed without your knowledge or not, it's not a bad idea to look for any unusual Roku transactions and change your password now.

How to reset your Roku password

It only takes a few minutes and is worth the effort

Resetting your Roku account password works about the same as any other online account, just make sure you have your email handy.

Open up your web browser of choice and go to my.roku.com. On the login page, select Forgot password? Enter your email address. Follow the reset link sent to your email and enter your new password.

How to find out if your account has been compromised

Companies in the US are legally required to notify customers if their personal information has been compromised, so in most cases you'll receive an email or letter notifying you if there's an issue. Roku has reportedly already notified those impacted by the breach, so check your email or watch for a letter in the mail. However, there are better ways to stay on top of breaches.

Most modern password managers cross-reference your account details with known breaches to let you know if you're impacted. You can also try sign up for alerts from popular breach notification site Have I Been Pwned, which will alert you whenever your information has appeared in any recent breaches.

While fixing these kinds of issues is a bit of a headache, and it feels unfair that the duty of keeping things secure falls primarily on the customer, it's the reality of the world we live in. Using a password manager, creating distinct passwords for all of your accounts, and deploying other security best practices can help keep your accounts safe going forward, regardless of how companies mess up.