After weathering two waves of credential stuffing attacks thus far in 2024, the second of which involved over half a million compromised accounts, Roku is now requiring that customers set up a 2FA method.
While the attackers are not able to glean financial information from the compromised accounts, they are able to make hardware and software purchases on the platform using payment methods stored in the accounts they capture. While the majority of Roku’s 80 million users are unaffected by either attack, they will all now be required to at minimum set up email 2FA to continue using their accounts.
Multiple credential stuffing attacks to start 2024 lead to security changes at Roku
The more recent of the credential stuffing attacks compromised about 576,000 Roku accounts. The initial breach, which took place from late December to late February and was reported in early March, only involved about 15,000 user accounts. In both cases the threat actors appear to simply have been trying username and password combinations leaked from prior data breaches at other companies.
Roku says that only about 400 of the breached accounts had transactions posted to them by the hackers, but the two credential stuffing attacks have nevertheless prompted sweeping security changes. Users with breached accounts have had their passwords reset, but all users will also be prompted to confirm their email address as a baseline 2FA method for continued account access. The company also said that it will refund users that had purchases made through their accounts by the hackers.
The silver lining to the credential stuffing attacks is that the hackers apparently were not able to view customer payment information or any sensitive contact information through accounts, so as long as Roku reimburses any fraudulent purchases there should be no lasting damage. Customers that have not logged in for some time will need to still have access to the email address associated with the Roku account, however, as upon their next login they will be asked to click on an emailed verification link to set up the 2FA method.
It is important for Roku users that have been sent a notice to change their passwords, however, as attackers may attempt to sell compromised accounts on the dark web (where they often trade for under $1 each). In-app purchases by hackers are limited to products made by Roku, but can include some fairly expensive devices such as televisions and streaming boxes.
Email 2FA now mandatory for Roku customer logins, but may not be enough
Email 2FA does create some layer of additional security, and might have been enough to stop the credential stuffing attacks. Security experts generally see it as too basic and inadequate a multi-factor method, however, and Roku’s own help pages indicate it can be bypassed if the attacker knows the last five digits of the ID number of any Roku streaming device on the account.
Roku is already struggling with customer discontent related to a recent change to its terms of service that forces customers to agree to arbitration in lieu of filing a lawsuit against the company. Some customers have taken to social media to express that they believe this change was made due to the credential stuffing attacks, but Roku maintains the policy change is unrelated.
Roku has been one of the biggest names in “smart TV” streaming since it launched 15 years ago in a partnership with Netflix, and holds the largest share of the US streaming TV market. The company is presently on its tenth generation of products, these first launched in 2021. But it has seemed to take on more security criticism as the years have gone on, most notably a 2018 article by Consumer Reports that highlighted how it (and other smart TV brands) collects an assortment of potentially sensitive private data from users without them necessarily being aware of the scope of its profiling.
Other security concerns have been raised about both Roku and smart streaming devices in general ranging from a lack of transparency in terms of what Linux-based vulnerabilities they might be subject to, to the possibility of hackers gaining relatively easy access to the devices by compromising home WiFi networks. But streaming accounts have not proven to be a particular priority for advanced cyber criminals, likely due to the fact that they can only be sold for low prices on the dark web as they offer little more than the ability to access paid video content.
There was one other major breach of such a service fairly recently, however, when Plex was attacked in mid-2022. That incident yielded basic customer contact information but also encrypted account passwords, and some 30 million customers were impacted.
Ted Miracco, CEO of Approov, believes that Roku still needs to make improvements in API security: “While Roku’s efforts to implement two-factor authentication (2FA) and reset passwords for compromised accounts are commendable initial steps, they are woefully inadequate in the context of modern cybersecurity demands. The reliance on traditional security measures like 2FA and merely managing credentials exposes a fundamental misunderstanding of the current threat landscape, especially concerning API security. Today’s digital environment, where APIs serve as crucial gateways to vast amounts of sensitive user data, requires a much more robust defense strategy than what Roku has proposed. APIs, particularly those interfaced with mobile devices, are often the target of sophisticated bot attacks that cannot be thwarted by simple credential management or basic authentication protocols. A truly effective security posture demands the integration of advanced measures such as app attestation and token-based access controls. App attestation ensures that only legitimate, untampered versions of an application can interact with critical backend services, effectively neutralizing many potential threats at the source. Similarly, token-based access to APIs can provide a more secure and controlled method of managing interactions between devices and backend services, ensuring that each request is authenticated, authorized, traceable and short-lived.”
“Roku’s response, while a step in the right direction, falls short of leveraging these advanced protective measures. It is imperative for Roku to enhance their security architecture beyond conventional methods to safeguard against the increasingly sophisticated and varied attack vectors of today’s cyber threats. Failure to do so could not only jeopardize user security but could also erode trust in Roku’s commitment to genuinely protecting its users,” added Miracco.
