15,363 Roku accounts were compromised, so it’s time to change your password

15,363 Roku accounts fell victim to a security breach, with cybercriminals accessing sensitive user data, including attempts at credit card fraud.

The incident was reported to the Maine and California attorneys general on March 8, detailing how hackers acquired Roku customer usernames and passwords from an external source and executed a credential stuffing attack (via TechRadar). The Maine filing states the attacks occurred on December 28, 2023, and February 21, 2024.

The attackers were able to change account login credentials, effectively locking out the legitimate owners and attempting to purchase streaming subscriptions with the stored credit cards. This alteration prevented account holders from receiving any confirmation emails regarding unauthorized purchases.

In response, Roku immediately secured the compromised accounts and initiated a password reset for affected users while investigating the fraudulent transactions. The company's efforts successfully halted unauthorized subscription sign-ups and refunded all fraudulent charges. Roku has assured that no social security numbers or similarly sensitive data were compromised in the breach.

For user security, Roku recommends resetting passwords via the My Roku website and contacting their support if account access issues arise. Users should also review their accounts for unauthorized subscriptions or devices, likely indicators of hacking. Additionally, checking your information on HaveIBeenPwned can check if your data has been compromised. Despite the breach impacting a small fraction of Roku's user base, caution is advised.

Further investigation uncovered an online marketplace selling stolen Roku account credentials for as little as 50 cents. The listings included instructions for making fraudulent purchases, with culprits boasting of their exploits on Telegram through screenshots of their ill-gotten gains.