The Verge reported that Roku has disclosed a breach that allowed hackers to gain access to 15,363 accounts and stored credit card information. In a notice sent to customers, Roku says hackers obtained login information and tried to purchase streaming subscriptions in a ‘limited number’ of instances.
Hackers likely obtained account information exposed in previous data breaches of third-party services, Roku says. This kind of attack, called credential stuffing, involves hackers getting the emails and passwords exposed in data breaches and trying the combination on other services. Once they gained access to an account, Roku hackers changed the login information for some accounts, allowing them to gain full control.
If the account had stored credit card info, hackers could also purchase subscriptions within Roku for services such as Netflix, Max, Paramount Plus, Hulu, Peacock, Disney Plus, and others.