Roku hit by credential stuffing attack

Time to mix up those passwords!

MajorLinux
MajorLinux - Editor-in-chief

As we become even increasingly more online than ever before, it is important that we start taking care of the security we technically still have. It seems like everyday, there is a new breach. This news is only made worse by some companies willing to face facts and notify vulnerable individuals. What Roku went through is more on other companies failing to keep data safe. There are steps we can take to protect ourselves, though.

Roku got stuffed

Over a week ago, Roku was hit by another cyberattack that compromised the accounts of 576,000 users. This is the second one the company suffered since March.

According to Roku, the malicious actors used a method called credential stuffing. Credential stuffing is when you have account information, usually usernames, email addresses, and passwords from another breach and you try them at another site. It’s like stealing the keys from a janitor and trying all the keys until a door opens in another building.

The hackers were unable to gain access to sensitive information like credit cards and addresses. However, the possibility that they already have it is greater than zero to begin with due to the style of attack.

Roku did take proactive steps after the breach. They have reset the passwords for accounts that were affected. Also, all charges made will either be reversed or refunded to those who were affected.

The big move the company did (which should have been done ages ago) is enable two-factor authentication for all 80 million accounts.

What can you do?

While this type of attack couldn’t have been prevented by users, the scope of the attack could have been lowered. In order to decrease your chances of being a victim of credential stuffing, using different passwords for different accounts is a giant step.

You may say that that is a lot of different passwords to keep up with. Then, I recommend a password manager. Most are free and even provide a password generator to make sure your passwords are random and diverse amongst your websites. I recommend Bitwarden as that’s what I use for myself and my family. Whatever you do, please avoid LastPass at all costs! I CANNOT STRESS THIS ENOUGH!!!!!

Next up, if a site or service offers two-factor authentication, enable it. Some have their own methods like Microsoft and Google. Others, like banks, will use SMS or email verification. Everyone else may require the use of another app like Google Authenticator or Authy. If you can, please avoid SMS authentication for two-factor as hackers are known to hijack your SIM and intercept your SMS messages.

Also, if you are ever curious if you were the victim of a breach, you can check out Have I Been Pwned? to see if your accounts have ever shown up. Also, some password managers and even iOS will notify if your data has been leaked somewhere.

Now you have the tools to secure yourself. What you do with that information is up to you!

Source: The Verge

Share This Article
Editor-in-chief
Follow:
Marcus Summers is a Linux system administrator by trade. He has been working with Linux for nearly 15 years and has become a fan of open source ideals. He self identifies as a socialist and believes that the world's information should be free for all.
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *