Roku Discloses Breach of More Than 15,000 Streaming Accounts

Roku said access to 15,363 streaming user accounts was obtained by “unauthorized individuals” who in some cases sought to purchase streaming subscriptions via the hack.

The company disclosed the breach on Friday, March 8, in a filing with the Maine Attorney General’s Office. According to a report by Bleeping Computer, the perpetrators of the data theft were seeking to sell the stolen account credentials “for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases.”

More from Variety

• 'The Spiderwick Chronicles': Roku Debuts Trailer for Fantasy Series With Christian Slater After Disney+ Scrapped It

• Roku Beats Q4 Sales Estimates and Tops 80 Million Active Accounts, Stock Drops on 'Challenging' Media and Entertainment Outlook for 2024

• Roku Chief Charlie Collier Says 'We're Going to Be the Lead-In to Most of Television, If Not All of Television'

Roku said it secured the affected accounts from further unauthorized access by requiring each registered account holders to reset the password, according to a letter it sent to affected users, posted on the Maine AG’s website. The company also said it investigated account activity “to determine whether the unauthorized actors had incurred any charges, and we took steps to cancel unauthorized subscriptions and refund any unauthorized charges.”

The 15,000-plus accounts that were breached are a small fraction of Roku’s overall base: The company said it ended 2023 with 80 million active user accounts.

“We take our viewers’ privacy and security seriously and, as part of our commitment to those values and protecting your information, we are writing to notify you about a recent event that may have affected your Roku account,” the company said in a letter to affected users.

According to the customer notice, Roku’s security team “recently observed suspicious activity indicating that certain individual Roku accounts may have been accessed by unauthorized actors.” The company said its investigation determined that unauthorized actors had likely obtained certain usernames and passwords of consumers from third-party sources (that is, through data breaches of third-party services that are not related to Roku).

“It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts. As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts,” Roku’s letter says. “After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.”

According to the letter, the affected Roku accounts did not provide the unauthorized actors with access to Social Security numbers, full payment account numbers, dates of birth, or other “similar sensitive personal information requiring notification.”

Roku said customers who are concerned that their account may have been affected are encouraged to reset their password at my.roku.com. Additional information can be found on Roku’s support page an article about “How to create a strong and secure password for your Roku account.”

VIP+ Analysis: Did Sony Hack Teach Us Nothing on Cyberattacks?

Best of Variety

• New Movies Out Now in Theaters: What to See This Week 

• All Best Actress Oscar Winners in Academy Award History

• Final Oscar Predictions: Original Score – Nothing Looks Like It Can Beat Ludwig Göransson's Powerful Music on 'Oppenheimer'