Absence of 2-Factor Leads to Roku Breach

PK Tech Blog Image (6)

It’s easy to miss news of the cybersecurity threats and attacks that are happening almost everywhere. At PK Tech, our goal is to educate and offer proactive steps for cybersecurity safety. It’s important to be aware – without being afraid – of the cybersecurity threats that are real threats for your business. PK Tech aims to be a leading educator and support tool in the world of cybersecurity. 

This month, we’re highlighting an attack on a popular streaming platform, Roku (reference).  What happened? What was the fallout?  Why should you care? We’re covering it all here. Let’s dive in.

What the “Hack” Happened?

Earlier this month, Roku sent a warning to their customers that more than 15,000 had experienced compromised usernames and passwords following a data breach of a separate company. 

In part, the breach was due to a lack of 2-factor authentication present on Roku user accounts. The original security breach was on another company associated with Roku, but from that breach, malicious actors were able to steal usernames and passwords of Roku customers.

Roku identified the breach in December when their security team noticed logins coming from suspicious devices and locations. Upon further investigation, they realized there was a cache of their customers’ usernames and passwords.

The Fallout

At minimum, hackers used the compromised usernames and passwords to gain access to customer accounts. In a few cases, they took it a step further, purchasing streaming subscriptions through the Roku website with customer credit cards stored on file. 

Upon identifying the attack, Roku immediately began notifying customers that they were affected by  a data dump by an unknown third-party company. Customers were told that hackers may purchase streaming services, streaming sticks, sound bars, and even light strips sold through the Roku website with credit card info stored on file. From there, hackers would resell items to make a profit.

Lessons Learned #ITCouldHaveBeenWorse

While breaches are inevitable, it’s always nice when you can identify a clear cause of a breached entry. Clear cause typically lends itself to a clear solution – or at least we generally hope so. 

It’s clear from the Roku attack that hackers were able to easily breach Roku accounts via a third party company due to a lack of 2-factor authentication. As we know, there is always risk connected to a third party vendor association. As a company, when you associate with third party vendors, on some level, you assume their level of cybersecurity practices (or lack thereof). In this case, Roku failed their customers with the protection of  2-factor authentication due to  third party vendor cybersecurity failure. 

The good news? It’s an easy fix. As Roku communicated with customers, they immediately identified the problem and are encouraging customers to set up 2-factor authentication as soon as possible.

While a breach is never ideal, ready solutions are the goal. As we always like to say, and our message to Roku is, #ITCouldBeWorse.