CALLED IT
Should be fucking illegal
Read the article. It’s not their fault.
Although what happened IS illegal.
The headline is misleading. Roku didn’t get hacked and leak accounts. There were ~15000 customers that had accounts accessed due to credential stuffing. Aka, they reused passwords on other sites that had leaks and hackers tried those credentials on their Roku accounts and got into them.
That’s… very very different.
Yeah, but then both OP and The Verge wouldn’t have such a juicy headline for sick internet points and clicks.
It’s more accurate to say “~15,000 Roku users were hacked due to reused passwords”, and reusing passwords is one of the worst things you can do security-wise because if your password got leaked on one website (doesn’t even need to be the full password, just the hash would work), you are now entirely compromised everywhere you reuse that password.
Assuming the hashes aren’t salted. Salting has been standard for years if not decades at this point.
But of course that won’t stop people from rejecting mature libraries and rolling their own insecure implementations.
The salt is stored in the same table as the hash. All the salt does is prevent super easy rainbow table attacks. You can still attack the passwords with brute force. Most people still use simple passwords that barely satisfy password requirements like
password1!
. There are freely available cracking algorithms that target the same “clever” password patterns that everyone uses. It greatly reduces the time it takes to crack passwords, and if you have a table with a million passwords in it, it’ll only take a couple days on a few GPUs to crack 15,000 of the simpler ones.My doctor says I should reduce my cholesterol and sodium intake. No salted hash for me, thanks.
This is the best summary I could come up with:
Roku has disclosed a breach that allowed hackers to gain access to 15,363 accounts and stored credit card information, as first reported by Bleeping Computer.
In a notice sent to customers, Roku says hackers obtained login information and tried to purchase streaming subscriptions in a “limited number” of instances.
Hackers likely obtained account information exposed in previous data breaches of third-party services, Roku says.
This kind of attack, called credential stuffing, involves hackers getting the emails and passwords exposed in data breaches and trying the combination on other services.
If the account had stored credit card info, hackers could also purchase subscriptions within Roku for services such as Netflix, Max, Paramount Plus, Hulu, Peacock, Disney Plus, and others.
Bleeping Computer also found that hackers are selling the stolen information for around 50 cents per account on a hacking marketplace.
The original article contains 247 words, the summary contains 139 words. Saved 44%. I’m a bot and I’m open source!
Good. Now burn to the ground and disappear from existence.
I’m a big proponent of self-hosting. I cancelled every streaming service years ago, and I host everything I want with Jellyfin and Navidrome. I’m very into certain genres of music, so I always make sure to buy merch or buy some albums on Bandcamp for the artists I really enjoy.
That being said, Roku does have its place. My older family members have lived their whole lives paying for shitty cable TV with 90% of the content something they have no interest in. Roku is a good alternative for them. It’s easy to set up, straightforward to use, and doesn’t cost much outside of the subscriptions for streaming services.
It’s been years since I’ve consumed any media that isn’t coming from my NAS, but the vast majority of people don’t have the knowledge or desire to set up a home media system. Mainstream smart-TV devices like Roku and streaming services like Netflix or Hulu certainly still have their place. They’re a shitty choice for people who enjoy tinkering with software and networking, but a good alternative for someone who just wants to watch TV but is fed up with the bullshit commercial-infested cesspool that is cable.
Also they’re a cheap TV you can install Plex and Jellyfin and the like to (I get that the cheapness comes from data theft and shit)
I buy Roku TVs because the other 50 inch panel I can get is $200 more and I plan to never use anything but the self-hosting, anyway
It’s also why my elderly relatives buy them and then ask me to set up my magic streaming box for them
Huh. It kind of puts that very recent mandatory arbitration agreement into question, doesn’t it?
Not really. This is just another case of people reusing passwords that have already been compromised from other leaks. Roku isn’t on the hook for this one.
I don’t know if this qualifies as a proper hack. The attackers simply tried to reuse leaked credentials from other services to see if they worked on Roku.
It’s technically hacking according to the legal definition, but Roku isn’t at fault.
…they still forced everyone into arbitration over it
welp, just changed my password to something ridiculous, good looking out.
You weren’t at risk unless you regularly re-use passwords.
Wasn’t their Roku account at risk?
Only if they reused passwords. Roku didn’t get hacked.
Bad actors used credentials leaked in other hacks to gain access to accounts that use the same password everywhere.
I understand that. So can I assume Roku forced everyone to change their password then?
Just report this as clickbait and let the mods remove it. If Roku didnt get hacked, then that title has no reason to be here.
Replace title with “hakers use leaked passwords to access thousands of Roku accounts” and you have yourself a keeper.
Very misleading title
How in the hell do you find a 3 word title misleading? Hackers got access to Roku accounts.
Hackers didn’t hack roku. They “hacked” people who were dumb enough to reuse old, compromised passwords from other services. That is a very big difference from OPs title “roku got hacked”.
It is good for roku to disclose this, but the issue is that people reused passwords.
God damn. Some people just want to argue and it doesn’t matter about what.
To provide perspective. Let’s pretend this title isn’t misleading (it is, but we’re playing Pretend), as of the fourth quarter of 2023, Roku reported a total of around 80 million active accounts worldwide. 15k accounts amount to 0.019% of active users.
If history is anything to go by, the initial report is often the tip of the iceberg.
I wouldn’t be surprised if they announce next month that oh, actually, all 80 million were compromised.
And then they’ll come back a month later and say “oh, and another 500 million users, who don’t have an account with us and didn’t even know we were tracking them, yeah they were also compromised”.
Of course, that doesn’t happen every time, but it’s pretty common. I wouldn’t trust Roku to fully know what’s going on yet. There’s a good chance they are assuming it was credential stuffing but don’t actually have proof of that. Hackers usually try to cover their tracks which makes any investigation difficult.
Needing a credit card just to use Roku has always been nonsense. I bought a gift card, spent all but $1 of it, and registered with that.
But I’ve since moved to Nvidia shield on the theater and onn on bedroom, office. Much better experience all around.
This, together with the recent “accept this new TOS that you’ll never sue us or you can’t access your TV” incident, makes me want to stay a good number of meters away from anything Roku.
I use privacy. Link current card so you can create merchant cards with restrictions. If it gets hacked just delete the card and create a new one. Also if you got charged once another charge from another merchant will not work. I can worry about 1 less thing in life, until privacy gets hacked…