Roku data breach: Over 15k accounts affected (opens in new tab)

(claimdepot.com)

113 pointswillyg1232y ago63 comments

63 comments

Sure wish CISA and SEC would effectively monitor and fine companies that suffer data breaches. After all, we're not being paid for that data, yet we remain the victim of their actions.

toomuchtodo2y ago

Reporting requirements exist [1], civil and criminal penalties will require Congressional action.

Definitely gross that companies are using forced arbitration to avoid liability for their breaches (first 23andme, now Roku). Call your congressperson. Also, if you are impacted/have standing, consider an FTC complaint [2] and contacting your state’s attorney general.

[1] https://www.sec.gov/news/press-release/2023-139

[2] https://reportfraud.ftc.gov/

ryandrake2y ago

> Call your congressperson.

I'm sure that after my phone call, my congressperson will drop all the things he is being paid thousands of lobbying dollars to do on behalf of his donors to get right on this. Sorry for the snark, but normal people are powerless to do anything about these shenanigans.

toomuchtodo2y ago

Medicare drug negotiations and $8 credit card late fee payments are my rebuttal. You aren’t supposed to fix it; you’re bringing it to the attention of leverage who can. Phone call is free besides your time.

rco87862y ago

Super cynical. Those people hold outsized power, but they are not invincible by any stretch of the imagination. We hold the power in that we elect the public officials. They care about what we think also.

1 more reply

laweijfmvo2y ago

First step, stop buying or using any product that monetizes your data

zonkerdonker2y ago

Second step: become proficient at bushcraft, because thats where youll be spending the rest of your life after following step one.

vetrom2y ago

Not to keep running with thr joke, but:

- while a total lockdown on exposure control of your personal data is basically impossible, proactive choices do limit it shouldn't be dismissed out of hand

- a working knowledge and practice of bushcraft can be a useful skill, a fulfilling hobby, and can be practiced without feeding money to whatever the flavor of the week is

- conversely, if you do get into that, be prepared for profiteers in that field to push into your attention. Going all bushcrafty is no protection on its own.

rco87862y ago

This is functionally impossible in much of modern society.

bananabiscuit2y ago

Maybe modern society was a mistake.

2 more replies

Brybry2y ago

Is this not just credential stuffing?

The article cites these two sources[1][2] which say

> Unauthorized individuals using account credentials believed to have been obtained from third-party source(s) were used to access individual customer accounts

[1] https://apps.web.maine.gov/online/aeviewer/ME/40/e9cc298b-37...

[2] https://oag.ca.gov/system/files/Template%20Notification%203-...

hentrep2y ago

> potentially affecting 15,363 individuals in the United States, including 76 in the state of Maine.

Odd that Roku singles out the 0.5% of users affected within the state of Maine. Must be related to some sort of Maine data breach law? I didn't dig too deeply, but not seeing anything explicitly called out in their statutes [0].

[0] https://legislature.maine.gov/legis/statutes/10/title10sec13...

NoPicklez2y ago

This just looks more like Roku had identified significant amounts of credential stuffing across customer accounts. As opposed to someone breaking into the back end of Roku and leaking customer account details.

It could also be targeted credential stuffing given recent events. An interesting tactic to create problems for a company.

I'm not saying Roku is a good company, but this isn't really a data breach but poor credential management by customers.

cadence-2y ago

Looks like Ars Technica called it:

Roku is also taking heat for using forced arbitration at all, which some argue can have one-sided benefits. In a similar move in December, for example, 23andMe said users had 30 days to opt out of its new dispute resolution terms, which included mass arbitration rules (the genetics firm let customers opt out via email, though). The changes came after 23andMe user data was stolen in a cyberattack. Forced arbitration clauses are frequently used by large companies to avoid being sued by fed-up customers.

https://arstechnica.com/gadgets/2024/03/disgraceful-messy-to...

RcouF1uZ4gsC2y ago

If enough people do it, forced arbitration can actually end up being expensive for the company. iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.

I wonder how Roku would react if every Roku user filed an arbitration case since your data was at risk.

mtlynch2y ago

The Roku lawyers seem to be defending specifically against this.

The new terms have language that say that if enough people enter arbitration at the same time, they have to do one big "mass arbitration."

142y ago

Wow so they will tell an entire group of people to pound sand at the same time. Neat

duskwuff2y ago

> iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.

Twitter, in relation to arbitration with employees it terminated? https://arstechnica.com/tech-policy/2023/07/twitter-refuses-...

ajdude2y ago

I remember this happening with Inuit in 2020

> Judge Breyer suggested at the Dec. 17 hearing on the proposed class action settlement that Intuit has only itself to blame for its mass arbitration predicament. “You knew what the rules of arbitration were. You knew all these things. And you elected - you elected to go to arbitration. And you fought fairly, vigorously, and it turns out correctly, that you had this right to insist on arbitration,” the judge told Intuit counsel Rodger Cole of Fenwick & West. “Now you come in, when you see how it is unfolding, and say: ‘Not so fast … Now we want to turn and do something else.’”

https://www.reuters.com/article/legal-us-otc-intuit/judge-br...

iAkashPaul2y ago

That recent push by Roku for accepting updated EULA around arbitration makes quite a lot more sense

enragedcacti2y ago

For those who don't know, just a week or so ago Roku amended the arbitration clause of their terms of service and soft-bricked every Roku in the US until you Agreed to the new terms. This even extended to TVs from other brands with Roku software, making the TV non-functional even as a dumb display since the Roku software controls input selection AND would ignore any HDMI-CEC commands. I guess we know why now.

There is a 30-day window after agreeing where you can mail them a letter opting out of the new arbitration agreement.

https://cordcuttersnews.com/roku-issues-a-mandatory-terms-of...

jayknight2y ago

My kids have been watching TV, they must have accepted it on my behalf. They should have required the parental control pin to accept it.

bee_rider2y ago

Can anyone who understands legal stuff explain this? As a layman Roku’s popup seemed wildly insufficient verification that the account owners were the ones accepting these TOS.

rco87862y ago

Not an expert but have worked on similar stuff and there’s no specific controls that I know of around specifically verifying that the account owner sees these things, just that they’re made available and the account is notified.

penjelly2y ago

not legal, but yes theyll probably get sued for this.

CobrastanJorji2y ago

The whole point of having a quick, online opt-in and an elaborate "mail us a notarized letter" opt-out is to make it very easy to opt in. Why would they want to make it harder? They're already on dodgy legal ground, and the "enter your PIN" wouldn't make it much firmer.

You're thinking like an engineer given the problem of "get people's consent" instead of like a businessman with the goal of "altering the deal."

reaperman2y ago

Someone else pointed out that they can’t even prove it wasnt a dog who agreed by chewing on the remote. Yet somehow these clicks are still considered to legally bind the owner.

freeAgent2y ago

Surely it’s just a happy coincidence that Roku hamfistedly decided to force all customers into arbitration before disclosing a breach…

canucker20162y ago

These lawyers who come up with these schemes never seem to consider capacity planning.

Forced arbitration? Much better than an expensive lawsuit.

Except when hundreds to thousands of people want arbitration and since the company wanted arbitration, we have to foot the bill... Yikes.

Hmmm. Fix the arbitration scaling problem by changing to forced mass arbitration. But the users will have to send in a letter to opt out of the new agreement.

Roku has 80 million+ accounts.

What happens when even one percent of those account opt out? Put on your "grudgingly-pay-the-outrageous-fine-with-pennies" hat and I'm sure you can come up with ways to increase the difficulty level of receiving many letters opting out of this new agreement.

smallmancontrov2y ago

My Roku-enabled TV used to bootloop whenever I blocked it from fetching screensaver ads. Support was happy to help. First step: (re)connect to the internet. Second step: disable any network ad blocking. Hmmmmm.

People rolled their eyes when I suggested that this was intentional, but these recent revelations strongly suggest that Roku is very comfortable exploiting the hell out of dark patterns.

If we don't enact stronger consumer protections, everything will work this way.

queuebert2y ago

For years, it has been the case that, when booting up the Roku, the highlighted item would often be a link that would install an app. My kids have accidentally installed so many things. When I tried to remove YouTube, it suggested it below the installed apps, and the kids re-installed it, without having a clue what they were doing and were confused as to why it now showed ads (logged out), when before it didn't (logged in with Premium).

mdaniel2y ago

In the "old days," the junkbuster proxy used to return a 128x32(?) blank gif in lieu of an actual block because the page layout would :fu: if the ad wasn't in place and correctly sized. I could easily imagine that might help your situation, too

Don't misunderstand me: it's 100% atrocious that any device bootloops if some ad network 403s, but on the spectrum of "spit into one hand..." and nginx in the other ...

smallmancontrov2y ago

Haha, yes, that would be something to try, but in the meantime I upgraded monitors and the new one does not have Roku or any of Roku's problems. Yet. If Roku gets away with it this will be everywhere.

9999000009992y ago

This is absolutely glorious.

Days after forcing it's users into mandatory arbitrations this comes out.

Would be awesome if holding someone's TV hostage until they agree to not sue you was illegal.

acdha2y ago

I hope some regulators ask for proof that the breach was “after” and not “the cause of”. It would not shock me to learn that this was the same playbook 23andme used.

9999000009992y ago

Looking at the state of things I doubt it would make a difference. Roku might pay a nominal fine at most.

CedarMadness2y ago

This breach is suspiciously close to their new forced arbitration in their terms of service.

bee_rider2y ago

I wonder if the obviously coordinated nature of this change will come back to bite them in the ass. It seems hard to believe that it was a good-faith change on their part.

Also, the breach happened while people were receiving services under the old TOS, not the new one. I wonder if that could impact things?

mtlynch2y ago

Related: Ask HN: Fighting back against Roku's forced arbitration?

https://news.ycombinator.com/item?id=39503941 (2024-02-25)

pvg2y ago

It's related as in they are both things about Roku but it's too early to tell if these two events are actually related in some more meaningful way.

bee_rider2y ago

The timing is sort of hard not to be suspicious of though, right?

neglesaks2y ago

In business, if the consumer gets shafted it hard, it not a coincidence.

lagniappe2y ago

Changing terms after the fact does not change the terms that were being operated under during the time of the breach.

eli2y ago

If you agree to all disputes going through arbitration then all disputes go through arbitration

whynotmaybe2y ago

One after the other, can we all assume now that a data breach for any company is not an "if" anymore, just a "when"?

bee_rider2y ago

Yeah, this sort of thing must make business harder to do. At least, I try to avoid putting my card into any service I can avoid.

Card won’t be charged during the free trial? Don’t need another copy out there!

jkic472y ago

Could that be a reason they amended their terms and conditions in such a draconian way?

1 more reply

djinnandtonic2y ago

Why does this notification say passwords were compromised and not password hashes? Certainly Roku engineers were better than that?

supportengineer2y ago

These are most likely people with easy guessed passwords like “password”. The notification suggests the attackers purchased these email/password combos in bulk. That’s likely all this is.

grimgrin2y ago

> As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.

how limited and what subs

1 more reply

bee_rider2y ago

So, I guess this must be why they changed their TOS.

1 more reply

matrix122y ago

It sure would be nice to know what was exposed in the hack. Given they are an advertisement company.

2 more replies

BHSPitMonkey2y ago

This is your regular reminder to audit your password manager for accounts you no longer need, and then go and have those accounts deleted.

Of course you can't guarantee that your data will actually be purged, or that it hasn't already been compromised from these places - but less exposure is better than more exposure, right?

1 more reply

tiahura2y ago

I'm sorry, after 20 years of data breach alarmism, and resulting de minimus consequences, isn't time for some of this to get a "who cares?"

MeImCounting2y ago

I think theres actually a huge industry around buying and using the information stolen in these breaches? Identity theft is a pretty big problem no? This seems like a really weird take.

j / k navigate · click thread line to collapse

63 comments

brevitea2y ago

Sure wish CISA and SEC would effectively monitor and fine companies that suffer data breaches. After all, we're not being paid for that data, yet we remain the victim of their actions.

toomuchtodo2y ago

Reporting requirements exist [1], civil and criminal penalties will require Congressional action.

[1] https://www.sec.gov/news/press-release/2023-139

[2] https://reportfraud.ftc.gov/

ryandrake2y ago

> Call your congressperson.

toomuchtodo2y ago

rco87862y ago

1 more reply

laweijfmvo2y ago

First step, stop buying or using any product that monetizes your data

zonkerdonker2y ago

Second step: become proficient at bushcraft, because thats where youll be spending the rest of your life after following step one.

vetrom2y ago

Not to keep running with thr joke, but:

- while a total lockdown on exposure control of your personal data is basically impossible, proactive choices do limit it shouldn't be dismissed out of hand

- a working knowledge and practice of bushcraft can be a useful skill, a fulfilling hobby, and can be practiced without feeding money to whatever the flavor of the week is

- conversely, if you do get into that, be prepared for profiteers in that field to push into your attention. Going all bushcrafty is no protection on its own.

rco87862y ago

This is functionally impossible in much of modern society.

bananabiscuit2y ago

Maybe modern society was a mistake.

2 more replies

Brybry2y ago

Is this not just credential stuffing?

The article cites these two sources[1][2] which say

> Unauthorized individuals using account credentials believed to have been obtained from third-party source(s) were used to access individual customer accounts

[1] https://apps.web.maine.gov/online/aeviewer/ME/40/e9cc298b-37...

[2] https://oag.ca.gov/system/files/Template%20Notification%203-...

hentrep2y ago

> potentially affecting 15,363 individuals in the United States, including 76 in the state of Maine.

[0] https://legislature.maine.gov/legis/statutes/10/title10sec13...

NoPicklez2y ago

It could also be targeted credential stuffing given recent events. An interesting tactic to create problems for a company.

I'm not saying Roku is a good company, but this isn't really a data breach but poor credential management by customers.

cadence-2y ago

Looks like Ars Technica called it:

https://arstechnica.com/gadgets/2024/03/disgraceful-messy-to...

RcouF1uZ4gsC2y ago

I wonder how Roku would react if every Roku user filed an arbitration case since your data was at risk.

mtlynch2y ago

The Roku lawyers seem to be defending specifically against this.

The new terms have language that say that if enough people enter arbitration at the same time, they have to do one big "mass arbitration."

142y ago

Wow so they will tell an entire group of people to pound sand at the same time. Neat

duskwuff2y ago

> iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.

Twitter, in relation to arbitration with employees it terminated? https://arstechnica.com/tech-policy/2023/07/twitter-refuses-...

ajdude2y ago

I remember this happening with Inuit in 2020

https://www.reuters.com/article/legal-us-otc-intuit/judge-br...

iAkashPaul2y ago

That recent push by Roku for accepting updated EULA around arbitration makes quite a lot more sense

enragedcacti2y ago

There is a 30-day window after agreeing where you can mail them a letter opting out of the new arbitration agreement.

https://cordcuttersnews.com/roku-issues-a-mandatory-terms-of...

jayknight2y ago

My kids have been watching TV, they must have accepted it on my behalf. They should have required the parental control pin to accept it.

bee_rider2y ago

Can anyone who understands legal stuff explain this? As a layman Roku’s popup seemed wildly insufficient verification that the account owners were the ones accepting these TOS.

rco87862y ago

penjelly2y ago

not legal, but yes theyll probably get sued for this.

CobrastanJorji2y ago

You're thinking like an engineer given the problem of "get people's consent" instead of like a businessman with the goal of "altering the deal."

reaperman2y ago

Someone else pointed out that they can’t even prove it wasnt a dog who agreed by chewing on the remote. Yet somehow these clicks are still considered to legally bind the owner.

freeAgent2y ago

Surely it’s just a happy coincidence that Roku hamfistedly decided to force all customers into arbitration before disclosing a breach…

canucker20162y ago

These lawyers who come up with these schemes never seem to consider capacity planning.

Forced arbitration? Much better than an expensive lawsuit.

Except when hundreds to thousands of people want arbitration and since the company wanted arbitration, we have to foot the bill... Yikes.

Hmmm. Fix the arbitration scaling problem by changing to forced mass arbitration. But the users will have to send in a letter to opt out of the new agreement.

Roku has 80 million+ accounts.

smallmancontrov2y ago

People rolled their eyes when I suggested that this was intentional, but these recent revelations strongly suggest that Roku is very comfortable exploiting the hell out of dark patterns.

If we don't enact stronger consumer protections, everything will work this way.

queuebert2y ago

mdaniel2y ago

Don't misunderstand me: it's 100% atrocious that any device bootloops if some ad network 403s, but on the spectrum of "spit into one hand..." and nginx in the other ...

smallmancontrov2y ago

9999000009992y ago

This is absolutely glorious.

Days after forcing it's users into mandatory arbitrations this comes out.

Would be awesome if holding someone's TV hostage until they agree to not sue you was illegal.

acdha2y ago

I hope some regulators ask for proof that the breach was “after” and not “the cause of”. It would not shock me to learn that this was the same playbook 23andme used.

9999000009992y ago

Looking at the state of things I doubt it would make a difference. Roku might pay a nominal fine at most.

CedarMadness2y ago

This breach is suspiciously close to their new forced arbitration in their terms of service.

bee_rider2y ago

I wonder if the obviously coordinated nature of this change will come back to bite them in the ass. It seems hard to believe that it was a good-faith change on their part.

Also, the breach happened while people were receiving services under the old TOS, not the new one. I wonder if that could impact things?

mtlynch2y ago

Related: Ask HN: Fighting back against Roku's forced arbitration?

https://news.ycombinator.com/item?id=39503941 (2024-02-25)

pvg2y ago

It's related as in they are both things about Roku but it's too early to tell if these two events are actually related in some more meaningful way.

bee_rider2y ago

The timing is sort of hard not to be suspicious of though, right?

neglesaks2y ago

In business, if the consumer gets shafted it hard, it not a coincidence.

lagniappe2y ago

Changing terms after the fact does not change the terms that were being operated under during the time of the breach.

eli2y ago

If you agree to all disputes going through arbitration then all disputes go through arbitration

whynotmaybe2y ago

One after the other, can we all assume now that a data breach for any company is not an "if" anymore, just a "when"?

bee_rider2y ago

Yeah, this sort of thing must make business harder to do. At least, I try to avoid putting my card into any service I can avoid.

Card won’t be charged during the free trial? Don’t need another copy out there!

jkic472y ago

Could that be a reason they amended their terms and conditions in such a draconian way?

1 more reply

djinnandtonic2y ago

Why does this notification say passwords were compromised and not password hashes? Certainly Roku engineers were better than that?

supportengineer2y ago

These are most likely people with easy guessed passwords like “password”. The notification suggests the attackers purchased these email/password combos in bulk. That’s likely all this is.

grimgrin2y ago

how limited and what subs

1 more reply

bee_rider2y ago

So, I guess this must be why they changed their TOS.

1 more reply

matrix122y ago

It sure would be nice to know what was exposed in the hack. Given they are an advertisement company.

2 more replies

BHSPitMonkey2y ago

This is your regular reminder to audit your password manager for accounts you no longer need, and then go and have those accounts deleted.

Of course you can't guarantee that your data will actually be purged, or that it hasn't already been compromised from these places - but less exposure is better than more exposure, right?

1 more reply

tiahura2y ago

I'm sorry, after 20 years of data breach alarmism, and resulting de minimus consequences, isn't time for some of this to get a "who cares?"

MeImCounting2y ago

I think theres actually a huge industry around buying and using the information stolen in these breaches? Identity theft is a pretty big problem no? This seems like a really weird take.

j / k navigate · click thread line to collapse