Hackers target Roku users: 15,000 accounts sold online for cheap

If you’re a Roku owner, this is the kind of spoiler you don’t mind getting spoiled: 15,000 Roku accounts are being jacked by hackers, and here’s the kicker: they’re being flogged online for less than a pack of gum.

The compromised accounts reportedly fall victim to a credential stuffing attack, a technique in which hackers wield sets of usernames and passwords leaked from previous data breaches to gain unauthorized access to consumer accounts.

According to BleepingComputer, hackers change passwords and email addresses once they are inside a user’s account, effectively locking the rightful owners out.

At this point, the hackers lived it up, using stolen credit card details to shop until they dropped on streaming subscriptions and hardware purchases.

While such a mechanism may seem overly complicated, it’s important to remember that Roku has made things relatively convenient for its users, perhaps too convenient sometimes.

What is Roku, and what does it do?

Roku users can manage all their streaming subscriptions through one platform. This requires them to store their credit card details online, which provides a playground for hackers who crack a user’s credentials.

One detail from this incident that staggers belief is the price point. Sites in the internet’s darkest corners, commonly referred to the dark web, are selling these pilfered Roku accounts for the paltry price of $0.50 each.

Tom’s Guide mentions that these stolen login details lead to fraudulent purchases, where cameras, remotes, and soundbars are bought on unsuspecting users’ dimes.

Here’s what Roku owners can do

The good news is that Roku is not staying idle. When they discovered users were compromised, the company moved quickly to secure the impacted accounts and then forced a password reset.

If your account got hijacked, go to “my.roku.com” and click on ‘Forgot password?’ to get a reset link. Then, review your Roku dashboard and look for any strange activity, peculiar devices, or unauthorized subscriptions.

The fact that Roku currently does not support two-factor authentication adds to the complexity and inconvenience of this situation.

What is two-factor authentication? 2FA (two-factor authentication), for those who might be unfamiliar, adds an extra layer of security to user accounts, which can deter hijackings even when credentials are compromised.

The saga doesn’t end here

On top of all this hacking business, users also recently grappled with a controversial user agreement change. Tom’s Guide reports that Roku users were locked out of their TVs unless they agreed to the new policy, adding salt to fresh wounds.

While this breach is unrelated to the policy change, it nonetheless highlights the problems currently plaguing the dominant TV OS in the US.

We can only hope that Roku addresses these issues promptly and fully recognizes the paramount importance of data and privacy in an increasingly interconnected world.

And a word to the wise: Share passwords across different platforms at your peril! With credential stuffing being all the rage among hackers these days, it’s essential to be extra vigilant about your online security.

Keep your passwords unique and change them regularly because you never quite know when you might be the next target.

Do you have any thoughts on this? Please leave a comment below or take the discussion to Twitter or Facebook.

Editors’ Recommendations:

• A company that makes iPhone hacking software is being sued by Apple
• Own this garage door opener? Shut it down; hackers can target it
• A major new Android bug lets hackers take over your devices
• Google Home speakers were at risk of eavesdropping hackers

Kevin Raposo

Kevin is KnowTechie's founder and executive editor. With over 15 years of blogging experience in the tech industry, Kevin has transformed what was once a passion project into a full-blown tech news publication. Shoot him an email at kevin@knowtechie.com or find him on Mastodon or Post.