If you have a Roku streaming stick plugged into your telly then you might want to check your credit card bill today. Streaming company Roku has revealed hackers have potentially accessed the accounts of more than 15,000 customers, and in some instances have used people’s credit card details to make fraudulent purchases.
Roku said in a letter to customers on Friday 8 March that hackers could have accessed accounts and changed the login information, meaning they could use the stored payment details to make purchases without the customer’s knowledge. As first reported this week by Bleeping Computer, it also appears hackers have been attempting to sell login credentials online for as little as 50 US cents, with 15,363 affected.
“Through our investigation, we determined that unauthorized actors had likely obtained certain usernames and passwords of consumers from third-party sources (e.g., through data breaches of third-party services that are not related to Roku),” said Roku. “It appears likely that the same username/password combinations had been used as login information.”
This type of hack is known as credential stuffing, when online crooks use information from data breaches of online services to try and login to others. So, if your Facebook email and password is the same as your Roku account and your Facebook login leaked, hackers could access your Roku account simply by using the email and password.
Even though this is hypothetical, it’s worth checking your Roku account and changing the password, as well as checking your credit card bills. Some hackers were able to change the login details entirely – associating them with another email address – but maintain customer payment information. If your Roku account has stored payment information and the hack affected you, thieves could have spent money on your card without you realising.
These purchases would be limited to items within Roku such as subscriptions to Netflix, Disney+, or other streaming services.
Roku said it has stopped unauthorised access by prompting customers to change their passwords. The company also said it has taken steps to refund any fraudulent purchases.
