Roku TV fans must check bank account after ‘logins stolen’ and credit cards ‘used for purchases’ – look for email clue

OVER 15,000 Roku accounts were cracked by hackers in a major breach.

Roku has admitted that crooks were able to steal login information to hijack accounts – and even make purchases using stored credit card info.

Roku users have been warned over a major account breachCredit: Alamy

The TV streaming giant has more than 80 million users globally, so only a fraction of users were affected.

Roku told The U.S. Sun that it believes it wasn’t directly hacked, but that criminals instead using log-in info that had been leaked from other sources.

This could be linked to TV fans re-using passwords on Roku that they’d also used on other services involved in hacks or leaks.

Hackers try out these leaked passwords on other apps to see if they work – an attack known as “credential stuffing”.

As many as 15,363 accounts were compromised in the breach, which was first reported by Bleeping Computer.

Some of the accounts had their passwords changed by hackers, locking users out.

And for some accounts with stored credit card info, cybercriminals were able to make TV subscription purchases.

These purchases could apply to a whole range of Roku-friendly apps including Netflix, HBO‘s Max, and Disney+.

A Roku spokesperson told The U.S. Sun: “Roku’s security team recently detected suspicious activity that indicated a limited number of Roku accounts were accessed by unauthorized actors.

“Using login credentials obtained from third-party sources (e.g., through data breaches of third-party services that are not related to Roku).

Crooks get ‘access to your payment apps, files and photos’ with ruthless phone attack – the first clue is a strange pop-up

“In response, we took immediate steps to secure these accounts and are notifying affected customers.

“Roku is committed to maintaining our customers’ privacy and security, and we take this incident very seriously.”

HACK ATTACK

The U.S. Sun understands that Roku’s security team first detected suspicious activity earlier in the year.

Payment information wasn’t directly visible, but stored credit cards could still be used to make purchases.

Roku has promised to notify affected customers by mail.

And if your account was used for purchases, these payments will be cancelled and refunded.

Roku is also encouraging users to reset their passwords.

Official password advice from Roku recommends:

Using at least eight characters (but more is much better)
Including a mix of numbers, symbols, lowercase and uppercase letters
Only using new and totally unique passwords – never use one from another app or service
Avoiding personal information that could be easy to guess

You should also avoid common phrases and dictionary words, personal dates, keyboard patterns, and common letter substitutions (like using zeroes instead of the letter o).

STUFFED!

Credential stuffing is an extremely common type of attack because it’s so easy to execute.

Cybercriminals can access huge lists of leaked or hacked log-ins for a whole host of apps.

These crooks will hope that at least some of the people on the list will have re-used those same emails and passwords on other apps or services.

They’ll then try the log-in information elsewhere to see where it works.

The main defence against credential stuffing is to use totally unique passwords on every single service.

To make this easier, consider using a password manager – like iCloud Keychain on iPhone, or the built-in one on Google Chrome – to save you from having to remember each and every log-in.

You can also check to see if any of your emails have been caught up in a breach by going to HaveIBeenPwned.com.

This website even lets you set up alerts so that you’ll be warned if your email appears in a breach list.

An excerpt from the letter that is being mailed out to affected Roku usersCredit: Roku

Source link