Roku data breach: Over 15k accounts affected

Sure wish CISA and SEC would effectively monitor and fine companies that suffer data breaches. After all, we're not being paid for that data, yet we remain the victim of their actions.

Is this not just credential stuffing?<p>The article cites these two sources[1][2] which say<p>&gt; Unauthorized individuals using account credentials believed to have been obtained from third-party source(s) were used to access individual customer accounts<p>[1] <a href="https:&#x2F;&#x2F;apps.web.maine.gov&#x2F;online&#x2F;aeviewer&#x2F;ME&#x2F;40&#x2F;e9cc298b-379b-47ba-a10d-e2263963b574.shtml" rel="nofollow">https:&#x2F;&#x2F;apps.web.maine.gov&#x2F;online&#x2F;aeviewer&#x2F;ME&#x2F;40&#x2F;e9cc298b-37...</a><p>[2] <a href="https:&#x2F;&#x2F;oag.ca.gov&#x2F;system&#x2F;files&#x2F;Template%20Notification%203-8-2024.pdf" rel="nofollow">https:&#x2F;&#x2F;oag.ca.gov&#x2F;system&#x2F;files&#x2F;Template%20Notification%203-...</a>

&gt; potentially affecting 15,363 individuals in the United States, including 76 in the state of Maine.<p>Odd that Roku singles out the 0.5% of users affected within the state of Maine. Must be related to some sort of Maine data breach law? I didn&#x27;t dig too deeply, but not seeing anything explicitly called out in their statutes [0].<p>[0] <a href="https:&#x2F;&#x2F;legislature.maine.gov&#x2F;legis&#x2F;statutes&#x2F;10&#x2F;title10sec1348.html" rel="nofollow">https:&#x2F;&#x2F;legislature.maine.gov&#x2F;legis&#x2F;statutes&#x2F;10&#x2F;title10sec13...</a>

This just looks more like Roku had identified significant amounts of credential stuffing across customer accounts. As opposed to someone breaking into the back end of Roku and leaking customer account details.<p>It could also be targeted credential stuffing given recent events. An interesting tactic to create problems for a company.<p>I&#x27;m not saying Roku is a good company, but this isn&#x27;t really a data breach but poor credential management by customers.

Looks like Ars Technica called it:<p><i>Roku is also taking heat for using forced arbitration at all, which some argue can have one-sided benefits. In a similar move in December, for example, 23andMe said users had 30 days to opt out of its new dispute resolution terms, which included mass arbitration rules (the genetics firm let customers opt out via email, though). The changes came after 23andMe user data was stolen in a cyberattack. Forced arbitration clauses are frequently used by large companies to avoid being sued by fed-up customers.</i><p><a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2024&#x2F;03&#x2F;disgraceful-messy-tos-update-allegedly-locks-roku-devices-until-users-give-in&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2024&#x2F;03&#x2F;disgraceful-messy-to...</a>

That recent push by Roku for accepting updated EULA around arbitration makes quite a lot more sense

For those who don&#x27;t know, just a week or so ago Roku amended the arbitration clause of their terms of service and soft-bricked every Roku in the US until you Agreed to the new terms. This even extended to TVs from other brands with Roku software, making the TV non-functional even as a dumb display since the Roku software controls input selection AND would ignore any HDMI-CEC commands. I guess we know why now.<p>There is a 30-day window after agreeing where you can mail them a letter opting out of the new arbitration agreement.<p><a href="https:&#x2F;&#x2F;cordcuttersnews.com&#x2F;roku-issues-a-mandatory-terms-of-service-update-that-you-must-agree-to-or-you-cant-use-your-roku&#x2F;" rel="nofollow">https:&#x2F;&#x2F;cordcuttersnews.com&#x2F;roku-issues-a-mandatory-terms-of...</a>

This is absolutely glorious.<p>Days after forcing it&#x27;s users into mandatory arbitrations this comes out.<p>Would be awesome if holding someone&#x27;s TV hostage until they agree to not sue you was illegal.

This breach is suspiciously close to their new forced arbitration in their terms of service.

Related: Ask HN: Fighting back against Roku&#x27;s forced arbitration?<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39503941">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39503941</a> (2024-02-25)

Changing terms after the fact does not change the terms that were being operated under during the time of the breach.

One after the other, can we all assume now that a data breach for any company is not an &quot;if&quot; anymore, just a &quot;when&quot;?

Could that be a reason they amended their terms and conditions in such a draconian way?

Why does this notification say passwords were compromised and not password hashes? Certainly Roku engineers were better than that?

&gt; As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.<p>how limited and what subs

So, I guess this must be why they changed their TOS.

It sure would be nice to know what was exposed in the hack. Given they are an advertisement company.

This is your regular reminder to audit your password manager for accounts you no longer need, and then go and have those accounts deleted.<p>Of course you can&#x27;t guarantee that your data will actually be purged, or that it hasn&#x27;t already been compromised from these places - but less exposure is better than more exposure, right?

I&#x27;m sorry, after 20 years of data breach alarmism, and resulting de minimus consequences, isn&#x27;t time for some of this to get a &quot;who cares?&quot;