{"id":100282,"date":"2024-04-18T10:59:18","date_gmt":"2024-04-18T17:59:18","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=100282"},"modified":"2024-04-22T09:11:35","modified_gmt":"2024-04-22T16:11:35","slug":"roku-leaks-576000-accounts-its-second-data-breach-of-2024","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/roku-leaks-576000-accounts-its-second-data-breach-of-2024\/","title":{"rendered":"Roku leaks 576,000 accounts\u2014its second data breach of 2024"},"content":{"rendered":"

\"\"<\/p>\n

Streaming giant Roku announced that it has suffered its second data breach so far this year.<\/p>\n

In the first data breach, which Roku acknowledged<\/a>\u00a0on March 8, attackers compromised more than 15,000 user accounts. The company stated that the breach was the result of a credential stuffing<\/a> attack, also known as a password reuse attack. In other words, hackers tried username-and-password combinations that had leaked in past data breaches.<\/p>\n

Roku stated<\/a> on April 12 that hackers had accessed roughly 576,000 additional accounts in a second incident. The company claims to have determined this by closely monitoring account activity.<\/p>\n

Between the two incidents, there were fewer than 400 cases where “malicious actors\u2026 made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts.”\u00a0 Roku claims that the attackers “did not gain access to any sensitive information, including full credit card numbers or other full payment information.” The company said that it has refunded or reversed all fraudulent charges.<\/p>\n

What Roku did\u2014and didn’t do\u2014right<\/h3>\n

The bad<\/strong><\/h4>\n

It’s unclear why Roku’s supposedly “close” monitoring did not enable the company to stop the second attack much sooner. Additionally, it’s unfortunate that Roku evidently didn’t significantly reduce the feasibility of credential stuffing attacks after the first incident.<\/p>\n

Instead, the company blamed its users for their bad password hygiene. Roku claimed that “it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.”<\/p>\n

The good<\/strong><\/h4>\n

On the bright side, Roku said after the second incident that it had proactively enabled two-factor authentication (2FA)<\/a> for all of its 80 million user accounts.<\/p>\n

The next time users attempt to log in, they’ll get a verification link via e-mail. We’ll walk you through this process below.<\/p>\n

How to set up two-factor authentication for your Roku account<\/h3>\n

In addition to using a separate, unique password for each of your online accounts, you should also use two-factor authentication (2FA; also called MFA for multi-factor authentication, or 2SV for two-step verification).<\/p>\n

Most services make 2FA optional, but Roku now requires it. You should ideally enable 2FA for all of your accounts<\/a> to add an additional layer of protection in case your password is ever exposed in a data dump.<\/p>\n

Now whenever you try to sign into your Roku account, you’ll see a “Verify it’s you to finish signing in” screen. This screen shows you your registered e-mail address, to which a verification link is sent.<\/p>\n

Next, check your e-mail and look for a brand new message from noreply@roku.com with the subject, “Roku | Signing in?” The e-mail will look similar to the following:<\/p>\n

\"\"

Roku’s “Signing in?” verification e-mail as of April 2024. Note that your first name will appear after “Hi” on the first line.<\/p><\/div>\n

Note that you should only receive such an e-mail\u2014and should only click or tap on the “Yes, sign me in” link\u2014if you’re actively attempting to log in at that time. (Otherwise, it may be a phishing e-mail, or someone else may be trying to break into your account.)<\/p>\n

The “Yes, sign me in” link begins with https:\/\/click.web.roku.com\/<\/code>. After clicking or tapping on the link, you’ll be redirected to a page hosted at https:\/\/my.roku.com\/<\/code>.<\/p>\n

If the site asks you to change your password, verify that the domain in the address bar ends in “.roku.com” first. Otherwise, the page will automatically redirect to https:\/\/my.roku.com\/dashboard<\/code>.<\/p>\n

Convenience is the enemy of security<\/strong><\/h4>\n

Roku considers the ability to access your e-mail to be the “something you have” second-factor option. So unlike most sites, Roku doesn’t require you to configure an authenticator app or get a text message as your second factor.<\/p>\n

This may seem convenient\u2014but you’ll need to ensure you aren’t reusing the same password for both your e-mail account and your Roku account; if you are (and if you aren’t using 2FA for your e-mail account), then an attacker just needs to take an additional step to break into both accounts. As we’ve mentioned before, it’s crucial to never reuse any passwords<\/a> and to always use 2FA<\/a>.<\/p>\n

How can I avoid falling victim to credential stuffing attacks?<\/h3>\n

Regardless of whether or not you have a Roku account, there are two important takeaways:<\/p>\n

    \n
  1. Use unique passwords for each and every site.<\/strong> Never reuse a password.<\/li>\n
  2. Use two-factor authentication wherever possible.<\/strong> Enable 2FA for every site that offers it.<\/li>\n<\/ol>\n

    These key points will help you avoid becoming a victim of future credential stuffing attacks. Be sure to check out the additional links below for more details.<\/a><\/p>\n

    How can I learn more?<\/h3>\n

    We discussed the Roku data breaches on episode 340<\/a> of the Intego Mac Podcast.<\/p>\n