Roku Attack: 576,000 accounts ‘impacted’

Summary

Attention grabbing headlines relating to the Roku “Data Breach” seem to have spread everywhere over the last few days. It is worth looking into what actually happened though, mainly because so many organisations are at risk from exactly the same attack.

This wasn’t a network breach in the sense that somebody gained access to internal Roku infrastructure. What happened was that an attacker obtained a collection of username/password values from other data breaches and then just tried to use the same values to log into Roku accounts. Simple!

We now know that at least 576,000 out of Roku’s 80,000,000 users (around 1 in every 140) were using the same username/password for their Roku account and some other service that had already been breached. This attack, known as ‘credential stuffing’, is a simple probability game. If the attackers collect enough compromised accounts, and pick a target with a large collection of accounts, then it is almost inevitable that they will find some username/password combinations that work.

If you have any Internet-facing services that use password based authentication then it is worth paying attention to the numbers above. This suggests that if you have 70 accounts then there is a 50% chance that one of them is using a username/password combination that can be found in an existing breach data dump.

In other words: if you are a small business that uses password based authentication for any Internet-facing services, then you are highly exposed to this type of attack. The only real solution is to adopt multi-factor authentication for anything that is Internet facing, this is exactly what Roku have now done.

If you need any help identifying or mitigating this type of issue then get in touch, we can help you to identify and resolve your highest risk threats and vulnerabilities.

Further Reading

Details from Roku on the incident and their response:

Cyber➾Guard: Threat driven cybersecurity for small and medium sized businesses:

Previous
Previous

Exposed RDP Servers: 3.5 million accidents just waiting to happen

Next
Next

CVE-2024-3400: Critical PaloAlto Command Injection Vulnerability