CALLED IT

  • skysurfer@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 months ago

    The headline is misleading. Roku didn’t get hacked and leak accounts. There were ~15000 customers that had accounts accessed due to credential stuffing. Aka, they reused passwords on other sites that had leaks and hackers tried those credentials on their Roku accounts and got into them.

    • Poggervania@kbin.social
      link
      fedilink
      arrow-up
      0
      ·
      8 months ago

      Yeah, but then both OP and The Verge wouldn’t have such a juicy headline for sick internet points and clicks.

      It’s more accurate to say “~15,000 Roku users were hacked due to reused passwords”, and reusing passwords is one of the worst things you can do security-wise because if your password got leaked on one website (doesn’t even need to be the full password, just the hash would work), you are now entirely compromised everywhere you reuse that password.

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 months ago

        Assuming the hashes aren’t salted. Salting has been standard for years if not decades at this point.

        But of course that won’t stop people from rejecting mature libraries and rolling their own insecure implementations.

        • CrayonRosary@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 months ago

          The salt is stored in the same table as the hash. All the salt does is prevent super easy rainbow table attacks. You can still attack the passwords with brute force. Most people still use simple passwords that barely satisfy password requirements like password1!. There are freely available cracking algorithms that target the same “clever” password patterns that everyone uses. It greatly reduces the time it takes to crack passwords, and if you have a table with a million passwords in it, it’ll only take a couple days on a few GPUs to crack 15,000 of the simpler ones.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 months ago

    This is the best summary I could come up with:


    Roku has disclosed a breach that allowed hackers to gain access to 15,363 accounts and stored credit card information, as first reported by Bleeping Computer.

    In a notice sent to customers, Roku says hackers obtained login information and tried to purchase streaming subscriptions in a “limited number” of instances.

    Hackers likely obtained account information exposed in previous data breaches of third-party services, Roku says.

    This kind of attack, called credential stuffing, involves hackers getting the emails and passwords exposed in data breaches and trying the combination on other services.

    If the account had stored credit card info, hackers could also purchase subscriptions within Roku for services such as Netflix, Max, Paramount Plus, Hulu, Peacock, Disney Plus, and others.

    Bleeping Computer also found that hackers are selling the stolen information for around 50 cents per account on a hacking marketplace.


    The original article contains 247 words, the summary contains 139 words. Saved 44%. I’m a bot and I’m open source!

    • corroded@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      I’m a big proponent of self-hosting. I cancelled every streaming service years ago, and I host everything I want with Jellyfin and Navidrome. I’m very into certain genres of music, so I always make sure to buy merch or buy some albums on Bandcamp for the artists I really enjoy.

      That being said, Roku does have its place. My older family members have lived their whole lives paying for shitty cable TV with 90% of the content something they have no interest in. Roku is a good alternative for them. It’s easy to set up, straightforward to use, and doesn’t cost much outside of the subscriptions for streaming services.

      It’s been years since I’ve consumed any media that isn’t coming from my NAS, but the vast majority of people don’t have the knowledge or desire to set up a home media system. Mainstream smart-TV devices like Roku and streaming services like Netflix or Hulu certainly still have their place. They’re a shitty choice for people who enjoy tinkering with software and networking, but a good alternative for someone who just wants to watch TV but is fed up with the bullshit commercial-infested cesspool that is cable.

      • gamermanh@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 months ago

        Also they’re a cheap TV you can install Plex and Jellyfin and the like to (I get that the cheapness comes from data theft and shit)

        I buy Roku TVs because the other 50 inch panel I can get is $200 more and I plan to never use anything but the self-hosting, anyway

        It’s also why my elderly relatives buy them and then ask me to set up my magic streaming box for them

    • pearsaltchocolatebar@discuss.online
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      Not really. This is just another case of people reusing passwords that have already been compromised from other leaks. Roku isn’t on the hook for this one.

  • henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 months ago

    I don’t know if this qualifies as a proper hack. The attackers simply tried to reuse leaked credentials from other services to see if they worked on Roku.

  • helpImTrappedOnline@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    8 months ago

    Just report this as clickbait and let the mods remove it. If Roku didnt get hacked, then that title has no reason to be here.

    Replace title with “hakers use leaked passwords to access thousands of Roku accounts” and you have yourself a keeper.

    • Decoy321@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      8 months ago

      How in the hell do you find a 3 word title misleading? Hackers got access to Roku accounts.

      • ResoluteCatnap@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        8 months ago

        Hackers didn’t hack roku. They “hacked” people who were dumb enough to reuse old, compromised passwords from other services. That is a very big difference from OPs title “roku got hacked”.

        It is good for roku to disclose this, but the issue is that people reused passwords.

    • abhibeckert@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      8 months ago

      If history is anything to go by, the initial report is often the tip of the iceberg.

      I wouldn’t be surprised if they announce next month that oh, actually, all 80 million were compromised.

      And then they’ll come back a month later and say “oh, and another 500 million users, who don’t have an account with us and didn’t even know we were tracking them, yeah they were also compromised”.

      Of course, that doesn’t happen every time, but it’s pretty common. I wouldn’t trust Roku to fully know what’s going on yet. There’s a good chance they are assuming it was credential stuffing but don’t actually have proof of that. Hackers usually try to cover their tracks which makes any investigation difficult.

  • BoofStroke@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 months ago

    Needing a credit card just to use Roku has always been nonsense. I bought a gift card, spent all but $1 of it, and registered with that.

    But I’ve since moved to Nvidia shield on the theater and onn on bedroom, office. Much better experience all around.

    • SharkAttak@kbin.social
      link
      fedilink
      arrow-up
      0
      ·
      8 months ago

      This, together with the recent “accept this new TOS that you’ll never sue us or you can’t access your TV” incident, makes me want to stay a good number of meters away from anything Roku.

    • HeyJoe@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      I use privacy. Link current card so you can create merchant cards with restrictions. If it gets hacked just delete the card and create a new one. Also if you got charged once another charge from another merchant will not work. I can worry about 1 less thing in life, until privacy gets hacked…