from Hacker News

Roku data breach: Over 15k accounts affected

by willyg123 on 3/11/24, 10:41 PM with 63 comments

  • by brevitea on 3/11/24, 11:04 PM

    Sure wish CISA and SEC would effectively monitor and fine companies that suffer data breaches. After all, we're not being paid for that data, yet we remain the victim of their actions.

  • by Brybry on 3/12/24, 12:07 AM

    Is this not just credential stuffing?

    The article cites these two sources[1][2] which say

    > Unauthorized individuals using account credentials believed to have been obtained from third-party source(s) were used to access individual customer accounts

    [1] https://apps.web.maine.gov/online/aeviewer/ME/40/e9cc298b-37...

    [2] https://oag.ca.gov/system/files/Template%20Notification%203-...

  • by hentrep on 3/12/24, 12:06 AM

    > potentially affecting 15,363 individuals in the United States, including 76 in the state of Maine.

    Odd that Roku singles out the 0.5% of users affected within the state of Maine. Must be related to some sort of Maine data breach law? I didn't dig too deeply, but not seeing anything explicitly called out in their statutes [0].

    [0] https://legislature.maine.gov/legis/statutes/10/title10sec13...

  • by NoPicklez on 3/12/24, 12:39 AM

    This just looks more like Roku had identified significant amounts of credential stuffing across customer accounts. As opposed to someone breaking into the back end of Roku and leaking customer account details.

    It could also be targeted credential stuffing given recent events. An interesting tactic to create problems for a company.

    I'm not saying Roku is a good company, but this isn't really a data breach but poor credential management by customers.

  • by cadence- on 3/11/24, 11:39 PM

    Looks like Ars Technica called it:

    Roku is also taking heat for using forced arbitration at all, which some argue can have one-sided benefits. In a similar move in December, for example, 23andMe said users had 30 days to opt out of its new dispute resolution terms, which included mass arbitration rules (the genetics firm let customers opt out via email, though). The changes came after 23andMe user data was stolen in a cyberattack. Forced arbitration clauses are frequently used by large companies to avoid being sued by fed-up customers.

    https://arstechnica.com/gadgets/2024/03/disgraceful-messy-to...

  • by iAkashPaul on 3/12/24, 12:24 PM

    That recent push by Roku for accepting updated EULA around arbitration makes quite a lot more sense

  • by enragedcacti on 3/11/24, 11:08 PM

    For those who don't know, just a week or so ago Roku amended the arbitration clause of their terms of service and soft-bricked every Roku in the US until you Agreed to the new terms. This even extended to TVs from other brands with Roku software, making the TV non-functional even as a dumb display since the Roku software controls input selection AND would ignore any HDMI-CEC commands. I guess we know why now.

    There is a 30-day window after agreeing where you can mail them a letter opting out of the new arbitration agreement.

    https://cordcuttersnews.com/roku-issues-a-mandatory-terms-of...

  • by 999900000999 on 3/12/24, 12:03 AM

    This is absolutely glorious.

    Days after forcing it's users into mandatory arbitrations this comes out.

    Would be awesome if holding someone's TV hostage until they agree to not sue you was illegal.

  • by CedarMadness on 3/11/24, 11:09 PM

    This breach is suspiciously close to their new forced arbitration in their terms of service.

  • by mtlynch on 3/11/24, 11:08 PM

    Related: Ask HN: Fighting back against Roku's forced arbitration?

    https://news.ycombinator.com/item?id=39503941 (2024-02-25)

  • by lagniappe on 3/11/24, 11:13 PM

    Changing terms after the fact does not change the terms that were being operated under during the time of the breach.

  • by whynotmaybe on 3/11/24, 11:25 PM

    One after the other, can we all assume now that a data breach for any company is not an "if" anymore, just a "when"?

  • by jkic47 on 3/11/24, 11:03 PM

    Could that be a reason they amended their terms and conditions in such a draconian way?

  • by djinnandtonic on 3/11/24, 11:35 PM

    Why does this notification say passwords were compromised and not password hashes? Certainly Roku engineers were better than that?

  • by grimgrin on 3/11/24, 11:49 PM

    > As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.

    how limited and what subs

  • by bee_rider on 3/11/24, 11:03 PM

    So, I guess this must be why they changed their TOS.

  • by matrix12 on 3/11/24, 11:30 PM

    It sure would be nice to know what was exposed in the hack. Given they are an advertisement company.

  • by BHSPitMonkey on 3/11/24, 11:26 PM

    This is your regular reminder to audit your password manager for accounts you no longer need, and then go and have those accounts deleted.

    Of course you can't guarantee that your data will actually be purged, or that it hasn't already been compromised from these places - but less exposure is better than more exposure, right?

  • by tiahura on 3/11/24, 11:23 PM

    I'm sorry, after 20 years of data breach alarmism, and resulting de minimus consequences, isn't time for some of this to get a "who cares?"