After noticing suspicious activity on individual user accounts, Roku announced that 15,363 had been breached by unauthorized users who likely repurposed usernames and passwords from other breaches. Roku’s investigation found that these bad actors then used these accounts to pay for streaming services.
Whether you were affected or not, this is your latest reminder not to use the same username and password across multiple services.
Also: Your Roku TV will be unusable if you don’t agree to the company’s new terms
Roku sent the thousands of affected users an email alerting them their account has been accessed and urging them to change their passwords immediately. Roku believes the company’s systems weren’t breached, only that its users had used the same login information on other services as on their Roku accounts. Roku said that sensitive information like social security numbers and full payment information was not compromised.
The breaches reportedly occurred from December 28, 2023, to February 21, 2024, and were discovered in January 2024. Roku described the breaches as “unauthorized individuals using account credentials believed to have been obtained from [a] third-party source(s) were used to access individual customer accounts,” according to the Office of the Maine Attorney General, which informs affected residents of data breaches in compliance with regulations, like several other US states.
–>
For the accounts Roku discovered to be affected, the company is requiring a password reset, has canceled any unauthorized subscriptions and transactions, and has issued a refund for unauthorized charges.
If you’re an affected Roku user, change your account password immediately using the “Forgot password?” option on the sign-in page. If you’re a Roku user and were not affected but you use the same password across different services, change all your account passwords immediately. In either case, don’t use that same password again.
Once logged in, review your account settings to check for any unauthorized subscriptions and logged-in devices.
If a bad actor ever uses your payment information, like in the case of these breaches, stay alert for fraudulent activities by monitoring your accounts and credit reports for at least a few months.