Quick Links
Have you recently received a password reset email from Roku? If so, you’d better check your other online accounts too.
In March 2024, streaming and smart TV giant Roku revealed that 15,000+ accounts were breached using a credential stuffing attack—which means any account you used the same password for is also vulnerable.
What Happened to Roku? How Was Roku Breached?
Roku’s official data breach notice[PDF] revealed suspicious activity on more than 15,000 Roku accounts.
However, despite Roku bearing the brunt of the issue, it wasn’t fully at fault. It appears the accounts were all breached using credential stuffing:
Through our investigation, we determined that unauthorized actors had likely obtained certain usernames and passwords of consumers from third-party sources (e.g., through data breaches of third-party services that are not related to Roku). It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts.
Credential stuffing, i.e., an attack that reuses the same username and password information across multiple services, is a massive user error and a huge problem in the age of enormous data breaches.
In this case, the attackers used the information to make purchases using banking details saved on Roku. But even then, Roku didn’t provide Social Security numbers, full payment account information (all purchases were limited to Roku), or other identifying information.
Received a Roku Password Reset Email? You Should Review Your Other Accounts
Now, credential stuffing is dangerous becausepeople use the same username and password comboacross multiple services. So if you received a password reset email from Roku following the breach, it stands to reason you should have a look at your other accounts.
Anywhere you use the same username and password combination could be at risk, even if you don’t use weakcommonly used passwords. (You should never use those passwords!)
How to Check If Your Username and Password Are Breached
There are a couple of ways to figure out if your email and password combination has been exposed in a breach.
The first involves a trip toHaveIBeenPwned, Troy Hunt’s incredibly useful and free data breach checking site. Just enter your email address and hitpwned?, and it’ll reveal all of the data breaches your email address is found in.
That’s a good starting point, but it doesn’t specify usernames, account names, passwords, and so on (for good reason!). To find out where you used the username and password combination, you’re going to have to dig deeper, manually. We’ve coveredhow to find accounts associated with an email addressin-depth, but here’s a quick overview of the methods you can use:
When you track down your old accounts, change each one to have a strong and unique password. Doing so will ensure your accounts are secure against not just credential stuffing attacks but other types of account breaches, password fraud, and more.
So take a minute to search your inbox for a Roku password reset email, and if it’s there, take action to stay safe!
