Bad actors may have illegally gotten into thousands of people’s Roku accounts, Roku told the offices of two state attorneys general.
In a data breach notification to the Office of the Maine Attorney General, the video streaming company estimated the number of accounts affected by the breach at over 15,300. It let those customers know about the situation on Friday via a letter.
The “unauthorized actors” changed the login details of the compromised accounts after using usernames and passwords they likely got “from third-party sources” that Roku believed “had been used as login information for such third-party sources as well as certain individual Roku accounts” to get access, Roku said in the customer notification letter.
The company suggested the bad actors got the login combinations “through data breaches of third-party services that are not related to Roku.” The information was reportedly sold, or the hackers used stored credit card information to sign up for streaming services attached to the device.
The letter is publicly available on both the Maine and California Attorney General websites.
Roku said sensitive personal information such as Social Security numbers, full payment account numbers and birth dates of the breached account holders were not accessed.
| Ticker | Security | Last | Change | Change % |
|---|---|---|---|---|
| ROKU | ROKU INC. | 64.13 | -0.28 | -0.43% |
The bad actors did, however, try to use Roku accounts to sign up for paid streaming subscriptions “in a limited number of cases,” the company said in the letter.
The company became aware of the incident between Jan. 4 and Feb. 21, according to the data breach notification submitted to Maine. The breach itself happened between Dec. 28 and Feb. 21.
“In response, we took immediate steps to secure these accounts and are notifying affected customers,” a Roku spokesperson told FOX Business Tuesday. “Roku is committed to maintaining our customers’ privacy and security, and we take this incident very seriously.”
COMCAST SAYS XFINITY CYBERSECURITY INCIDENT MAY HAVE COMPROMISED CUSTOMER DATA
Roku told customers via letter it “secured the accounts from further unauthorized access by requiring the registered account holder to reset the password, we investigated account activity to determine whether the unauthorized actors had incurred any charges and we took steps to cancel unauthorized subscriptions and refund any unauthorized charges.”
The company’s security team “continues to actively monitor for signs of suspicious activity, to ensure that all customer information and data is kept secure,” according to the letter.
Roku’s total number of active accounts rose to 80 million in the fourth quarter. Those accounts accumulated 29.1 billion hours of streaming in the three-month period and contributed to the 106 billion hours watched by Roku accounts over the course of the entire year, according to the company.
