After detecting suspicious activity “indicating that certain individual Roku accounts may have been accessed by unauthorized actors,” and following a subsequent investigation, Roku concluded that they had “likely obtained certain usernames and passwords of consumers from third-party sources.”
According to a Data Breach Notification filed with the State of Maine by the law firm Wilson Sonsini Goodrich & Rosati, 15,363 individuals were affected by the breach. It began on December 28, 2023 and was discovered on January 4, 2024; and ended on February 21, 2024.
Credential stuffing
The incident fit the classic pattern of a credential stuffing attack.
A credential stuffing attack begins with a database of user IDs and passwords and a target; which can be a financial services company, a government agency or a media and entertainment Web site. A criminal actor uses automation to rapidly test each ID/password (access credential) combination to find combinations that grant access to the targeted site.
The criminal may accumulate the “working” credentials to sell to consumers, to give them unlicensed access to protected services. Or, the criminal may use this access to conduct their own exploits: the theft of content, services, confidential enterprise data or end user financial details.
A 2020 study about credential stuffing by Akamai Technologies noted that pirates resell streaming service account credentials for $1-5 per account, and for as much as $45 for a packaged offer with multiple services. In this current Roku case, Roku account credentials were reportedly sold for $0.50 each.
Consumer databases are widely available from clandestine sources online.
Roku users notified
On March 8, 2024, Roku notified the holders of known compromised accounts that Roku had re-set their account passwords, and to re-set them by using the “Forgot Password” tool.
In this case, “(U)nauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions,” said Roku.
Roku’s notice contained pages of advice and resources intended to inform consumers of safeguards and countermeasures to reduce the likelihood of personal risks online. However, according to the Maine filing, no identity theft services were offered by Roku. Nor does Roku offer two-factor authentication.
Damage apparently was limited
“(A)ccess to the affected Roku accounts did not provide the unauthorized actors with access to social security numbers, full payment account numbers, dates of birth, or other similar sensitive personal information requiring notification,” continued Roku.
Proactive countermeasures
When Roku identified the compromised accounts, (We) secured the accounts from further unauthorized access by requiring the registered account holder to reset the password, we investigated account activity to determine whether the unauthorized actors had incurred any charges, and we took steps to cancel unauthorized subscriptions and refund any unauthorized charges. We did not delay notification as a result of a law enforcement investigation … Finally, our team continues to actively monitor for signs of suspicious activity.”
Further reading
Notice of Data Breach. March 12, 2024. Roku (via the Office of the Attorney General, State of California)
Data Breach Notifications. Roku Inc. March 8, 2024. Office of the Maine Attorney General, State of Maine
Over 15,000 hacked Roku accounts sold for 50¢ each to buy hardware. By Bill Toulas. March 11, 2024. Bleeping Computer
Why it matters
Credential stuffing is a well-established form of cyberattack. According to Mark Mulready, Vice President of Cyber Services at Irdeto and Co-President of the European-focused Audiovisual Anti-Piracy Alliance (AAPA), “There are multiple business models. One is to use credential stuffing to identify valid media accounts, and then resell the credentials that work. A variant on that approach is to sell illicit streaming devices or apps with these credentials pre-installed. A third is to use stolen credentials to access and steal content to redistribute illegally.”
“By impersonating a trusted source, consumers could be tricked into downloading an update that deposits ransomware. One of our sources reported a social engineering attack using a social messaging platform with a voice recording claiming to be a company’s CEO. One recipient became suspicious and reported it to the company’s security team; fortunately, before it was widely distributed,” said Mr. Mulready
