© 2024 Blaze Media LLC. All rights reserved.
Over 575,000 Roku accounts exposed to 'malicious actors' as hackers make purchases with users' stored payment methods
Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images

Over 575,000 Roku accounts exposed to 'malicious actors' as hackers make purchases with users' stored payment methods

Smart TV operating system Roku was on the receiving end of a low-level hacking incident during which hundreds of thousands of accounts were accessed. Some users had purchases made with their accounts.

After 15,000 Roku accounts were breached in March 2024, an April 2024 attack was discovered by the company, which was said to have affected another 576,000 accounts.

A cyberattack known as "credential stuffing" was used, according to Variety, where online thieves use login credentials taken from other hacks to attempt to log in to a different online account, in this case Roku.

Roku reportedly claimed that the original source for user login credentials was not its network.

In terms of what the "malicious actors" had access to, Roku stated that the hackers were able to use the accounts to make unauthorized purchases of streaming service subscriptions and/or Roku hardware products. This was done in fewer than 400 cases, the company claimed, or approximately 0.07% of the accounts that were compromised.

Those accounts were refunded or had charges reversed.

Additionally, Roku said that hackers did not gain access to sensitive personal information, such as full credit card numbers or other payment information. It is unclear how the criminals were able to access the accounts and make purchases while not seeing the less-sensitive data.

In response, Roku reset the passwords of all affected accounts and enabled two-factor authentication for all Roku account logins.

"While the overall number of affected accounts represents a small fraction of Roku’s more than 80 million active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents," the company said, per Variety.

"[W]e sincerely regret that these incidents occurred and any disruption they may have caused. ... [Y]our account security is a top priority, and we are committed to protecting your Roku account," Roku added.

Other Data Breaches

In a not-so-funny April Fools' report, AT&T reported that the personal information of a whopping 73 million current and former customers was posted on the dark web. The data breach reportedly included users' Social Security numbers.

"Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders," AT&T noted.

DNA mapping company 23andMe, on the other hand, denied fault for its massive data security breach from 2023 and shifted blame to users who "recycled" their passwords, according to a letter obtained by TechCrunch.

The security breach impacted 6.9 million 23andMe accounts, almost half the company's users, and resulted in dozens of lawsuits.

This hack was also accomplished by credential stuffing that opened up access to 14,000 user accounts, which then allowed hackers to access the data of millions of 23andMe users who had opted in to the website's DNA Relatives feature.

"Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe," the company letter claimed.

Like Blaze News? Bypass the censors, sign up for our newsletters, and get stories like this direct to your inbox. Sign up here!

Want to leave a tip?

We answer to you. Help keep our content free of advertisers and big tech censorship by leaving a tip today.
Want to join the conversation?
Already a subscriber?
Andrew Chapados

Andrew Chapados

Andrew Chapados is a writer focusing on sports, culture, entertainment, gaming, and U.S. politics. The podcaster and former radio-broadcaster also served in the Canadian Armed Forces, which he confirms actually does exist.
@andrewsaystv →