Hackers have stolen personal data, including credit-card authentication credentials, of 15,363 Roku users, with individual user account data selling for just 50 cents each on the Dark Web.
Some Roku users were locked out of their accounts, with data thieves coopting them to make nefarious in-app purchases.
Roku began to notify affected customers on Friday via email with this message.
The streaming company also released this statement to Next TV: “Roku’s security team recently detected suspicious activity that indicated a limited number of Roku accounts were accessed by unauthorized actors using login credentials obtained from third-party sources (e.g., through data breaches of third-party services that are not related to Roku). In response, we took immediate steps to secure these accounts and are notifying affected customers. Roku is committed to maintaining our customers’ privacy and security, and we take this incident very seriously.”
Bleeping Computer was first to report the data breach on Monday.
The data breach, which occurred "earlier this year," according to Roku, stemmed from what's described as a "credential stuffing" attack, whereby hackers steal usernames and passwords from, say, Roku, then try them out in a range of other services.
Fortunately, Roku's data doesn't include social security numbers, full payment account numbers, or dates of birth.
