Roku hackers breach 15,000 accounts, used data to subscribe to streaming services

The hackers used stored credit card information to purchase access to streaming platforms

Bad actors may have illegally gotten into thousands of people’s Roku accounts, Roku told the offices of two state attorneys general.

In a data breach notification to the Office of the Maine Attorney General, the video streaming company estimated the number of accounts affected by the breach at over 15,300. It let those customers know about the situation on Friday via a letter.

The "unauthorized actors" changed the login details of the compromised accounts after using usernames and passwords they likely got "from third-party sources" that Roku believed "had been used as login information for such third-party sources as well as certain individual Roku accounts" to get access, Roku said in the customer notification letter. 

The company suggested the bad actors got the login combinations "through data breaches of third-party services that are not related to Roku." The information was reportedly sold, or the hackers used stored credit card information to sign up for streaming services attached to the device. 

GET FOX BUSINESS ON THE GO BY CLICKING HERE

Roku remote in front of TV

Roku says the latest wave of job cuts will impact 6% of its workforce. (Tiffany Hagler-Geard/Bloomberg via Getty Images / Getty Images)

The letter is publicly available on both the Maine and California Attorney General websites.

Roku said sensitive personal information such as Social Security numbers, full payment account numbers and birth dates of the breached account holders were not accessed.

Ticker Security Last Change Change %
ROKU ROKU INC. 56.76 +0.56 +1.00%

The bad actors did, however, try to use Roku accounts to sign up for paid streaming subscriptions "in a limited number of cases," the company said in the letter.

Roku on TV

The Roku app on a television in Hastings-On-Hudson, N.Y., July 25, 2023.  (Tiffany Hagler-Geard/Bloomberg via Getty Images / Getty Images)

The company became aware of the incident between Jan. 4 and Feb. 21, according to the data breach notification submitted to Maine. The breach itself happened between Dec. 28 and Feb. 21.

Roku

"In response, we took immediate steps to secure these accounts and are notifying affected customers," a Roku spokesperson told FOX Business Tuesday. "Roku is committed to maintaining our customers’ privacy and security, and we take this incident very seriously."

COMCAST SAYS XFINITY CYBERSECURITY INCIDENT MAY HAVE COMPROMISED CUSTOMER DATA

Roku told customers via letter it "secured the accounts from further unauthorized access by requiring the registered account holder to reset the password, we investigated account activity to determine whether the unauthorized actors had incurred any charges and we took steps to cancel unauthorized subscriptions and refund any unauthorized charges."

Roku headquarters sign is seen in San Jose, California

Roku's company logo in front of Roku headquarters Nov. 18, 2022, in San Jose.  (Justin Sullivan/Getty Images / Getty Images)

The company’s security team "continues to actively monitor for signs of suspicious activity, to ensure that all customer information and data is kept secure," according to the letter.

CLICK HERE TO READ MORE ON FOX BUSINESS

Roku’s total number of active accounts rose to 80 million in the fourth quarter. Those accounts accumulated 29.1 billion hours of streaming in the three-month period and contributed to the 106 billion hours watched by Roku accounts over the course of the entire year, according to the company.