In a newbreach notice, Roku says that hackers hijacked over 15,000 user accounts and utilized customers' saved credit card information. However, Roku’s security was not compromised in this breach. This is a case of customers reusing old passwords.

An attack method calledcredential stuffingis responsible for this breach. Credential stuffing is incredibly simple—hackers take a list of known email and password combinations, dump each one into a website’s login field, and take note of any credentials that produce a successful login. The emails and passwords used in this breach were obtained from previous, unrelated data breaches.

Several individuals or groups may have participated in this attack. They likely used credential-stuffing tools like Open Bullet 2 to automate the attack process. And, as discovered byBleeping Computer, compromised Roku accounts were sold on Telegram and other platforms for as little as 50¢ apiece. Buyers were encouraged to immediately change the login and recovery details for purchased accounts. In some cases, these buyers also used customers' credit card information to purchase new streaming subscriptions or Roku hardware.

“Through our investigation, we determined that unauthorized actors had likely obtained certain usernames and passwords of consumers from third-party sources (e.g., through data breaches of third-party services that are not related to Roku)”

According to Roku’s breach notice, 15,363 customer accounts were affected in this breach. The number of accounts that were hit by fraudulent purchases is unknown.

Sensitive materials, such as birthdays or full payment details, were not exposed in this breach. However, hackers are well aware that a successful username and password combination may be reused across several websites or services. You need to stop reusing passwords and consider using apassword manager. I also suggest usingHaveIBeenPwnedto see if your credentials have appeared in a public data breach.

Of course, customers can’t be blamed for this breach. Roku needs to take steps to prevent unauthorized account logins. If a Roku account can make purchases with a credit card, the account should be protected by two-factor authentication and other security systems. Roku currently offers two-factor authentication for its smart home products but does not provide the same protection for streaming accounts.

Roku published itsdata breach noticeon Friday, March 8th. This notice will be sent to affected customers, though Roku has already forced customers to reset their passwords. The company also says that it has identified and reversed fraudulent purchases. You may have received a refund for a fraudulent purchase without realizing it, though you should still take a few minutes to investigate your Roku account and associated credit card bill.