Over 15,000 Roku Accounts Sold To Buy Streaming Subscriptions, Devices (bleepingcomputer.com) 25
Over 15,000 Roku customers were hacked and used to make fraudulent purchases of hardware and streaming subscriptions. According to BleepingComputer, the threat actors were "selling the stolen accounts for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases." From the report: On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack. A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case, Roku.com. The company says that once an account was breached, it allowed threat actors to change the information on the account, including passwords, email addresses, and shipping addresses. This effectively locked a user out of the account, allowing the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.
"It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts," reads the data breach notice. "As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. "After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions." Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident. Additionally, the platform's security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders.
A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers. Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents, as seen below where 439 accounts are being sold. The seller of these accounts provides information on how to change information on the account to make fraudulent purchases. Those who purchase the stolen accounts hijack them with their own information and use stored credit cards to purchase cameras, remotes, soundbars, light strips, and streaming boxes. After making their purchases, it is common for them to share screenshots of redacted order confirmation emails on Telegram channels associated with the stolen account marketplaces.
"It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts," reads the data breach notice. "As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. "After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions." Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident. Additionally, the platform's security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders.
A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers. Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents, as seen below where 439 accounts are being sold. The seller of these accounts provides information on how to change information on the account to make fraudulent purchases. Those who purchase the stolen accounts hijack them with their own information and use stored credit cards to purchase cameras, remotes, soundbars, light strips, and streaming boxes. After making their purchases, it is common for them to share screenshots of redacted order confirmation emails on Telegram channels associated with the stolen account marketplaces.
Bad idea (Score:2)
So your first mistake was adding your credit card to your Roku account...
Re: (Score:2)
Indeed.
Re: (Score:2)
com ;)
Re: (Score:1)
Blame the victim
Yeah, nope.
Bad behaviour around managing credentials cannot possibly be the fault of the vendor.
What is this? Actions have consequences. Own your actions. Quit trying to shift the blame elsewhere.
Re: (Score:3)
I'd say first mistake is reusing a password. Though I did check mine just to be sure. Yep, random generated password. And no, no saved credit card. I'm not even sure what I would keep one on file for. Roku is a good cheap tool to organize streaming services.
Re: (Score:2)
Reuse the password as much as you want for inconsequential accounts. Roku falls into this category in my opinion. I have a Roku TV, and while I regret it because I can't get Kodi on there, I'm not sure why anyone would buy anything through Roku anyways, let alone store a credit card. If someone cracked my Roku account it would be a very minor inconvenience. I probably wouldn't even notice. I'm only signed in because Roku made me so could install YouTube.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
New arbitration agreement suddenly shows cause (Score:5, Insightful)
These guys just stuffed a new license agreement down everyone's throats and, now you can see probable cause.
This looks entertaining. What else have they been screwing up?
Re: (Score:2)
Why is this not yet a penny stock?
Re: (Score:2)
What happens when a hacker logs in and accepts the EULA for me?
Re: (Score:1)
a hacker
Credential stuffing is to hacking what plutonium is to cabbage
ie, not even remotely the same thing
Re: (Score:2)
Yes yes, blah blah, being technically correct is more important that having a conversation. I get it's hard to manage autism. I've struggled too.
Re: (Score:3)
Oh no! A typo in that last message, make sure you call that out!
Re: (Score:1)
What else have they been screwing up?
This logic baffles me
15k chuckledink mouth-breathers used BAD credentials. Naturally, their idiocy had a really predictable outcome. Yet we're going to pretend they are utterly blameless and point the accusatory digit at the vendor?
This is acceptable behaviour for a 2yr old. Not so much for "adults"
Re: (Score:1)
So that TOS update that they forced... (Score:1)
...this is behind that. They wanted to make sure they aren't sued into oblivion by consumers who lost money. I think this is grievous enough that their shitty TOS won't stand up in court.