Roku is notifying over 15,000 customers of a recent data breach that allowed threat actors to use stored credit cards to make unauthorized purchases on some accounts.
Roku is a media streaming company that allows customers to access content from various online entertainment platforms such as Netflix, Max, Disney Plus, and Spotify.
It also has an in-house streaming app, a self-named Roku Channel, and a TV operating system. The company has a large customer base of over 80 million active accounts and reached 106 billion hours of streaming in 2023.
According to a data breach notification filed with California’s Office of the Attorney General, “Roku’s security team recently detected suspicious activity suggesting that certain Roku accounts were accessed by unauthorized actors.”
The streaming company discovered the cyber intrusion between January 4 and February 21 and determined that threat actors compromised its network between December 28, 2023, and February 21, 2024.
Roku hackers attempted to make unauthorized purchases
The San Jose, California-based company initiated an investigation to determine the scope of the data breach and the nature of the personal information potentially accessed.
“We conducted an investigation to identify affected accounts, determine the scope of the unauthorized activity, protect affected accounts from further unauthorized access, identify the legitimate account holders, and identify any personal information which may have been compromised,” Roku said.
The investigation determined that a limited number of Roku accounts were accessed by unauthorized actors using login credentials obtained from previous breaches of third-party services, also known as credential stuffing. A breach notice filed with the Office of the Maine Attorney General disclosed that 15,363 customers were impacted.
Once the account takeover was complete, the attackers changed the login information to gain unrestricted access and “attempted to purchase streaming subscriptions” in a “limited number of cases” using stored credit cards.
Roku’s business model allows customers to centrally manage subscriptions across various streaming platforms and make purchases using stored credit cards.
“In response, we took immediate steps to secure these accounts and are notifying affected customers,” the company said, adding that it continues to “monitor for signs of suspicious activity.”
Sensitive PII and stored credit cards not leaked in the Roku data breach
Although threat actors attempted to make purchases using stored credit cards, the data breach did not leak sensitive personal or financial information.
“However, access to the affected Roku accounts did not provide the unauthorized actors with access to social security numbers, full payment account numbers, dates of birth, or other similar sensitive personal information requiring notification,” the company said.
If exposed, stored credit cards are a gold mine for cybercriminals, each selling for about $1 to $10 on dark web marketplaces. However, most companies mask stored credit cards to prevent them from being exposed in case of a data breach.
Roku has advised security-conscious customers to change their account passwords as a precaution. It also initiated a password reset for some accounts to mitigate the impacts of the data breach.
Customers should also use strong and unique passwords and monitor their online accounts, financial statements, and credit reports.
Additionally, they should review their Roku subscriptions from their account dashboard and cancel any unwanted plans. Roku is also taking “steps to cancel unauthorized subscriptions and refund any unauthorized charges.”
The media streaming company also explained that an ongoing law enforcement investigation did not cause the slight delay in notification.
While not among the top targets for cybercriminals, media streaming platforms sometimes fall victim to cyber-attacks.
In 2022, media streaming platform Plex disclosed a data breach that leaked the personal information of 30 million users. That incident exposed email addresses, usernames, and hashed passwords but not stored credit cards.