Roku has disclosed a data breach impacting over 15,000 customers and reports indicate that this sensitive data is now being offered for sale on various dark web marketplaces.
Roku says hackers obtained login information and tried to purchase streaming subscriptions in a “limited number” of instances.
On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential-stuffing attack.
A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case, Roku.com.
If the account had stored credit card info, hackers could also purchase subscriptions within Roku for services such as Netflix, Max, Paramount Plus, Hulu, Peacock, Disney Plus, and others. Bleeping Computer also found that hackers are selling the stolen information for around 50 cents per account on a hacking marketplace.
One saving grace is that the Roku accounts didn’t reveal social security numbers, full payment account numbers, or dates of birth. Roku says it has since “secured the accounts from further unauthorized access” by asking affected users to reset their passwords.
