Roku has disclosed a data breach impacting over 15,000 customers after hacked accounts were used to make fraudulent purchases of hardware and streaming subscriptions.
However, BleepingComputer has learned there is more to this attack, with threat actors selling the stolen accounts for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases.
On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack.
A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case, Roku.com.
The company says that once an account was breached, it allowed threat actors to change the information on the account, including passwords, email addresses, and shipping addresses.
This effectively locked a user out of the account, allowing the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.
"It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts," reads the data breach notice.
"As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts."
"After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.
Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident.
Additionally, the platform's security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders.
Legitimate account holders who got hijacked must visit "my.roku.com" and click on 'Forgot password?' to get a reset link on their email.
After accessing the account, head to the Roku dashboard and review the activity, connected devices, and active subscriptions to ensure everything is legitimate.
Unfortunately, Roku does not support two-factor authentication, which prevents hijacks even in the case of credentials compromise.
Roku accounts are only worth 50 cents
Roku is a digital media and streaming content company offering streaming sticks and boxes, home automation kits, sound bars, light strips, and TVs running its specialized OS, allowing users to access services like Netflix, Hulu, and Amazon Prime Video.
To generate revenue, Roku also allows customers to purchase streaming subscriptions directly through their Roku account. This enables customers to manage all their streaming services through one account.
However, when adding a subscription, Roku stores customers' credit card information in their online accounts so that they can easily be used for future purchases.
BleepingComputer has learned that numerous threat actors are conducting credential stuffing attacks using the Open Bullet 2 or SilverBullet cracking tools.
These programs allow you to import custom configs (configuration files) that are created to perform credential stuffing attacks against specific websites, such as Netflix, Steam, Chick-fil-A, and Roku.
A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers.
Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents, as seen below where 439 accounts are being sold.
The seller of these accounts provides information on how to change information on the account to make fraudulent purchases.
Those who purchase the stolen accounts hijack them with their own information and use stored credit cards to purchase cameras, remotes, soundbars, light strips, and streaming boxes.
After making their purchases, it is common for them to share screenshots of redacted order confirmation emails on Telegram channels associated with the stolen account marketplaces.
Recently, Roku has been under fire for making changes to its "Dispute Resolution Terms" and preventing customers from using their streaming devices until they agree to them.
These new terms force customers to first handle any complaints through an in-person, phone, or video call with the company's legal representatives before a claim can be filed in arbitration.
However, as shown in the image above, there is no way to continue using a Roku streaming device without first agreeing to the terms.
A source told BleepingComputer that the new Dispute Resolution Terms are in part related to the ongoing credential stuffing attacks and financial fraud being conducted through the hacked accounts.
Update 3/11/24: After the publication of our article, Roku disputed what we were told, stating that the new Dispute Resolution Terms are not related to the hacked accounts and fraudulent acitivities.
Comments
electrolite - 8 months ago
"Legitimate account holders who got hijacked must visit "my.roku.com" and click on 'Forgot password?' to get a reset link on their email."
Instead of 'Forgot password?' they need a new link saying 'Got hijacked? Want to take a shot at getting your account back?'
Never store your credit card with any company. Type it in for each transaction if you have to or use a password manager that allows storing CC's as well. (a good password manager!)
Cla001 - 8 months ago
I don't get it. The article says that hijackers gained access to accounts, changed shipping addresses, emails and names, and yet were still able to use saved credit cards?
Every single online store I've ever seen would immediately require you to reenter at least some credit card details (CVV/CVC, exp date or a part of the number) as soon as you add a new address or make other substantial change to the account details. This has been the case for probably 20 years and is literally "eCommerce Security 101". Are you saying that Roku was not even doing this much to protect user accounts??
Mr.Tom - 6 months ago
It states in the picture above for the market place selling the accounts. They say to purchase items first, then change information afterwards. I'm assuming it's a timing thing, the address while ordering doesn't get stored with the order, but is grabbed during shipping.
jmwoods - 8 months ago
Why wasn't the stored credit card data encrypted?
SuperSapien64 - 8 months ago
Its just sleazy that Roku forced everyone to agree to their new terms shortly before this hack.
Makes me suspect that they might have seen this coming because they have no TFA, man even if it was either text or email based TFA that could have prevented this from happening.
bumgarb - 7 months ago
"Its just sleazy that Roku forced everyone to agree to their new terms shortly before this hack.
Makes me suspect that they might have seen this coming because they have no TFA, man even if it was either text or email based TFA that could have prevented this from happening. "
I'd say 100% they were aware of the hack before making everyone agree to terms. I just had a medical company pull the same thing... only they released new terms, then closed my account due to "inactivity," then sent me a "we've been hacked notice" in the postal mail. Their steps left me with no recourse and no way of knowing what data of mine was stored with them when compromised. Each day it is more anti-consumer/customer - we should scrub our data, close unneeded accounts, and use credit cards that offer one-time card numbers.