Roku data breach: Over 15k accounts affected | Better HN

Roku data breach: Over 15k accounts affected | Better HN

63 comments

Sure wish CISA and SEC would effectively monitor and fine companies that suffer data breaches. After all, we're not being paid for that data, yet we remain the victim of their actions.

toomuchtodo2y ago

Reporting requirements exist [1], civil and criminal penalties will require Congressional action.

Definitely gross that companies are using forced arbitration to avoid liability for their breaches (first 23andme, now Roku). Call your congressperson. Also, if you are impacted/have standing, consider an FTC complaint [2] and contacting your state’s attorney general.

[1] https://www.sec.gov/news/press-release/2023-139

[2] https://reportfraud.ftc.gov/

ryandrake2y ago

> Call your congressperson.

I'm sure that after my phone call, my congressperson will drop all the things he is being paid thousands of lobbying dollars to do on behalf of his donors to get right on this. Sorry for the snark, but normal people are powerless to do anything about these shenanigans.

laweijfmvo2y ago

First step, stop buying or using any product that monetizes your data

zonkerdonker2y ago

Second step: become proficient at bushcraft, because thats where youll be spending the rest of your life after following step one.

This is functionally impossible in much of modern society.

Brybry2y ago

Is this not just credential stuffing?

The article cites these two sources[1][2] which say

> Unauthorized individuals using account credentials believed to have been obtained from third-party source(s) were used to access individual customer accounts

[1] https://apps.web.maine.gov/online/aeviewer/ME/40/e9cc298b-37...

[2] https://oag.ca.gov/system/files/Template%20Notification%203-...

> potentially affecting 15,363 individuals in the United States, including 76 in the state of Maine.

Odd that Roku singles out the 0.5% of users affected within the state of Maine. Must be related to some sort of Maine data breach law? I didn't dig too deeply, but not seeing anything explicitly called out in their statutes [0].

[0] https://legislature.maine.gov/legis/statutes/10/title10sec13...

NoPicklez2y ago

This just looks more like Roku had identified significant amounts of credential stuffing across customer accounts. As opposed to someone breaking into the back end of Roku and leaking customer account details.

It could also be targeted credential stuffing given recent events. An interesting tactic to create problems for a company.

I'm not saying Roku is a good company, but this isn't really a data breach but poor credential management by customers.

Looks like Ars Technica called it:

Roku is also taking heat for using forced arbitration at all, which some argue can have one-sided benefits. In a similar move in December, for example, 23andMe said users had 30 days to opt out of its new dispute resolution terms, which included mass arbitration rules (the genetics firm let customers opt out via email, though). The changes came after 23andMe user data was stolen in a cyberattack. Forced arbitration clauses are frequently used by large companies to avoid being sued by fed-up customers.

https://arstechnica.com/gadgets/2024/03/disgraceful-messy-to...

RcouF1uZ4gsC2y ago

If enough people do it, forced arbitration can actually end up being expensive for the company. iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.

I wonder how Roku would react if every Roku user filed an arbitration case since your data was at risk.

The Roku lawyers seem to be defending specifically against this.

The new terms have language that say that if enough people enter arbitration at the same time, they have to do one big "mass arbitration."

> iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.

Twitter, in relation to arbitration with employees it terminated? https://arstechnica.com/tech-policy/2023/07/twitter-refuses-...

iAkashPaul2y ago

That recent push by Roku for accepting updated EULA around arbitration makes quite a lot more sense

enragedcacti2y ago

For those who don't know, just a week or so ago Roku amended the arbitration clause of their terms of service and soft-bricked every Roku in the US until you Agreed to the new terms. This even extended to TVs from other brands with Roku software, making the TV non-functional even as a dumb display since the Roku software controls input selection AND would ignore any HDMI-CEC commands. I guess we know why now.

There is a 30-day window after agreeing where you can mail them a letter opting out of the new arbitration agreement.

https://cordcuttersnews.com/roku-issues-a-mandatory-terms-of...

jayknight2y ago

My kids have been watching TV, they must have accepted it on my behalf. They should have required the parental control pin to accept it.

bee_rider2y ago

Can anyone who understands legal stuff explain this? As a layman Roku’s popup seemed wildly insufficient verification that the account owners were the ones accepting these TOS.

CobrastanJorji2y ago

The whole point of having a quick, online opt-in and an elaborate "mail us a notarized letter" opt-out is to make it very easy to opt in. Why would they want to make it harder? They're already on dodgy legal ground, and the "enter your PIN" wouldn't make it much firmer.

You're thinking like an engineer given the problem of "get people's consent" instead of like a businessman with the goal of "altering the deal."

reaperman2y ago

Someone else pointed out that they can’t even prove it wasnt a dog who agreed by chewing on the remote. Yet somehow these clicks are still considered to legally bind the owner.

freeAgent2y ago

Surely it’s just a happy coincidence that Roku hamfistedly decided to force all customers into arbitration before disclosing a breach…

canucker20162y ago

These lawyers who come up with these schemes never seem to consider capacity planning.

Forced arbitration? Much better than an expensive lawsuit.

Except when hundreds to thousands of people want arbitration and since the company wanted arbitration, we have to foot the bill... Yikes.

Hmmm. Fix the arbitration scaling problem by changing to forced mass arbitration. But the users will have to send in a letter to opt out of the new agreement.

Roku has 80 million+ accounts.

What happens when even one percent of those account opt out? Put on your "grudgingly-pay-the-outrageous-fine-with-pennies" hat and I'm sure you can come up with ways to increase the difficulty level of receiving many letters opting out of this new agreement.

smallmancontrov2y ago

My Roku-enabled TV used to bootloop whenever I blocked it from fetching screensaver ads. Support was happy to help. First step: (re)connect to the internet. Second step: disable any network ad blocking. Hmmmmm.

People rolled their eyes when I suggested that this was intentional, but these recent revelations strongly suggest that Roku is very comfortable exploiting the hell out of dark patterns.

If we don't enact stronger consumer protections, everything will work this way.

queuebert2y ago

For years, it has been the case that, when booting up the Roku, the highlighted item would often be a link that would install an app. My kids have accidentally installed so many things. When I tried to remove YouTube, it suggested it below the installed apps, and the kids re-installed it, without having a clue what they were doing and were confused as to why it now showed ads (logged out), when before it didn't (logged in with Premium).

In the "old days," the junkbuster proxy used to return a 128x32(?) blank gif in lieu of an actual block because the page layout would :fu: if the ad wasn't in place and correctly sized. I could easily imagine that might help your situation, too

Don't misunderstand me: it's 100% atrocious that any device bootloops if some ad network 403s, but on the spectrum of "spit into one hand..." and nginx in the other ...

9999000009992y ago

This is absolutely glorious.

Days after forcing it's users into mandatory arbitrations this comes out.

Would be awesome if holding someone's TV hostage until they agree to not sue you was illegal.

acdha2y ago

I hope some regulators ask for proof that the breach was “after” and not “the cause of”. It would not shock me to learn that this was the same playbook 23andme used.

9999000009992y ago

Looking at the state of things I doubt it would make a difference. Roku might pay a nominal fine at most.

CedarMadness2y ago

This breach is suspiciously close to their new forced arbitration in their terms of service.

bee_rider2y ago

I wonder if the obviously coordinated nature of this change will come back to bite them in the ass. It seems hard to believe that it was a good-faith change on their part.

Also, the breach happened while people were receiving services under the old TOS, not the new one. I wonder if that could impact things?

Related: Ask HN: Fighting back against Roku's forced arbitration?

https://news.ycombinator.com/item?id=39503941 (2024-02-25)

pvg2y ago

It's related as in they are both things about Roku but it's too early to tell if these two events are actually related in some more meaningful way.

bee_rider2y ago

The timing is sort of hard not to be suspicious of though, right?

neglesaks2y ago

In business, if the consumer gets shafted it hard, it not a coincidence.

lagniappe2y ago

Changing terms after the fact does not change the terms that were being operated under during the time of the breach.

eli2y ago

If you agree to all disputes going through arbitration then all disputes go through arbitration

whynotmaybe2y ago

One after the other, can we all assume now that a data breach for any company is not an "if" anymore, just a "when"?

bee_rider2y ago

Yeah, this sort of thing must make business harder to do. At least, I try to avoid putting my card into any service I can avoid.

Card won’t be charged during the free trial? Don’t need another copy out there!

jkic472y ago

Could that be a reason they amended their terms and conditions in such a draconian way?

djinnandtonic2y ago

Why does this notification say passwords were compromised and not password hashes? Certainly Roku engineers were better than that?

supportengineer2y ago

These are most likely people with easy guessed passwords like “password”. The notification suggests the attackers purchased these email/password combos in bulk. That’s likely all this is.

> As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.

how limited and what subs

bee_rider2y ago

So, I guess this must be why they changed their TOS.

It sure would be nice to know what was exposed in the hack. Given they are an advertisement company.

BHSPitMonkey2y ago

This is your regular reminder to audit your password manager for accounts you no longer need, and then go and have those accounts deleted.

Of course you can't guarantee that your data will actually be purged, or that it hasn't already been compromised from these places - but less exposure is better than more exposure, right?

I'm sorry, after 20 years of data breach alarmism, and resulting de minimus consequences, isn't time for some of this to get a "who cares?"

MeImCounting2y ago

I think theres actually a huge industry around buying and using the information stolen in these breaches? Identity theft is a pretty big problem no? This seems like a really weird take.

j / k navigate · click thread line to collapse