Hackers likely obtained account information exposed in previous data breaches of third-party services, Roku says. This kind of attack, called credential stuffing, involves hackers getting the emails and passwords exposed in data breaches and trying the combination on other services. Once they gained access to an account, Roku hackers changed the login information for some accounts, allowing them to gain full control.
If the account had stored credit card info, hackers could also purchase subscriptions within Roku for services such as Netflix, Max, Paramount Plus, Hulu, Peacock, Disney Plus, and others. Bleeping Computer also found that hackers are selling the stolen information for around 50 cents per account on a hacking marketplace.
One saving grace is that the Roku accounts didn’t reveal social security numbers, full payment account numbers, or dates of birth. Roku says it has since “secured the accounts from further unauthorized access” by asking affected users to reset their passwords. It’s also working to cancel and refund unauthorized purchases. Even if you weren’t affected by this data breach, it still might be worth checking HaveIBeenPwned to see if any of your credentials have been exposed recently. It also couldn’t hurt to change your Roku password.