Roku is a global streaming and entertainment organization. It offers solutions for direct streaming, live channels, music, niche channel entertainment, smart home devices, travel technology, audio options, and more. Roku also allows users to subscribe to limited streaming platforms, like Netflix, Disney+, Paramount+, Hulu, Max, and others.
According to the sample consumer breach notification for the event, the attack involved an unauthorized party gaining access to certain user accounts, known as Account Takeover (ATO) Fraud. Once inside these compromised accounts, the malicious actors attempted to purchase streaming platform subscriptions.
The breach notice published on the Maine Attorney General’s website suggests that the event began in late December 2023 and continued until around February 2024. Officials presumably noticed the suspicious activity in early January 2024 but did not act until around a month later.
Based on the information provided by the consumer notice, this breach will impact specific Roku users. These individuals must reset their account passwords, and geneare stronger password; however, if they use duplicate information for other accounts, they must also change those. If the victims of this event do not change their duplicate credentials, they may put other organizations and people at risk for further cyberattacks.
The breach filing on Maine’s website suggests 15,363 individuals may have had direct impacts from this event. However, this impact figure may increase, especially if the criminals begin using the stolen credentials to attack other organizations in events called “credential-stuffing.” These attacks are difficult to detect for many systems—23 and Me, for example, is a well-known victim of a credential-stuffing attack.