Can't wait till we find out that the arbitration agreement they forced on people was penned up shortly after they discovered the breach.
I think its already been shown that it was penned up shortly after they discovered the last breach.
insert shocked.gif here.
Fuck these companies. They all need to rot.
Seriously; anyone not pirating deserved this. Maybe they'll learn better.
So instead of giving people notice so they can change their information they decide to sit on it until they cover their asses. Typical.
The only way yo be safe is to pirate.
Anything else puts you at unnecessary risk.
Never buying a Roku product ever again. Their TVs used to be a good deal but I’ll play a premium for something else next time.
Hey, at least their research is focusing on serving you ads through HDMI instead of security, so even if you're not using the Roku, you can still get their ads over HDMI.
You don't need security if you're a virus...
I'm thankful Roku has had data breaches. Mostly because I have a Roku TV that was somehow compromised and now, even after a couple of years and several full factory resets, whoever used my throwaway account signed up for all the streaming services at the highest tier. Hard to be mad when I havent had to pay for anything.
And no, before anyone says anything, it's not putting my home network at risk, as it's just the Roku account that's compromised. Nothing tied to me personally, not even a card/address on the account, so I just chalk it up to "as long as it keeps working, Im not worrying about it".
Free stuff is great and all, but I imagine they’re using a stolen CC to pay for those subscriptions and they’re exploiting someone who’s not great at paying attention to their credit card bill.
You may want to report it so that someone isn’t getting fucked over.
Do not report it, Roku won't investigate financial fraud, but they will kick you out.
They will boot your account if you contact CS and say “my account has been compromised?”
At worst, they might cancel the subscriptions. I imagine trying to give the money back (get the charges reversed) is the labor intensive part.
Exactly. Having been on the CS side of the house for stuff like this, I can’t imagine they would penalize the customer for coming forward. Customer service ain’t got time for that. They’re going to remove the card, reset the password, and maybe report the card.
Taking money from someone else’s bank account is a shitty thing to do. I don’t know why anyone here would be in support of not reporting this.
My account is with mailinator (free throwaway email) and I'm hopeful someone does this for me. That sounds quite nice.
But it’s probably using a stolen CC. I wouldn’t feel too great about using someone else’s credit card without their knowledge. I’d report it and try to get the card suspended.
I used to blame my cousin, as she has a raging drug addiction and does shady crap like steal people's credit cards/checks and it was only after she had been over that I had noticed. But nope, still going despite time and resets. If I knew a way of pulling login info off the TV, I'd probably share it, because hell, why not.
This is not a "Roku data breach."
This is a use of compromised user credentials, with Roku as the target.
Yeah, but they don’t have contemporary best practices in place that would’ve reduced their exposure to this.
The only thing that would have prevented this in this context would be mandatory MFA. Did they have that? No, but there's a huge number of places that are way more sensitive than a streaming platform that don't have mandatory MFA (coughETradecough).
It is wholly misleading to characterize this as a "Roku data breach," and it's disingenuous to portray Roku in this instance as somehow glaringly worse than everyone else.
Wouldn't salted hashes have prevented this?
You just add some extra characters to every password before hashing and then stolen hashes and rainbow tables don't work any more.
In other words, I think ghostalmedia is correct, best practices would have prevented this.
No. Nobody has stolen hashes. They have usernames and passwords collected from elsewhere, that they tried against Roku, because people tend to reuse usernames and passwords.
Ugh... Who is still storing passwords in the clear... For fuck sake...
That doesn’t have anything to do with it, really. There’s plenty of ways that credentials get “leaked,” not the least of which is users who reuse passwords also falling for scam emails that have them “log in” to something. It could matter if some specific credentials were initially acquired because some other place was storing clear text passwords, and that place had a breach.
Still wouldn’t be an issue at all if users didn’t reuse passwords. That’s the lynchpin. This is users’ fault, not Roku’s.
It could matter if some specific credentials were initially acquired because some other place was storing clear text passwords, and that place had a breach.
Exactly, that was my assumption.
After all, reusing passwords for multiple sites becomes a problem as soon the password becomes known. But for that password to become known, some site had to either allow the plaintext password to be leaked, or an unsalted hash. Or the site has to allow for insecure (easily guessable) passwords to be used.
Reusing passwords is undeniably the user's fault, but only because some other site's security measures may also have been negligent.
Will be interesting to see how people react when Netflix rolls out mandatory two factor auth for logins.
i believe that data breaches are so frequent, that we now have a dedicated community to post these.
Can't wait till we find out that the arbitration agreement they forced on people was penned up shortly after they discovered the breach.
I think its already been shown that it was penned up shortly after they discovered the last breach.
insert shocked.gif here.
Fuck these companies. They all need to rot.
Seriously; anyone not pirating deserved this. Maybe they'll learn better.
So instead of giving people notice so they can change their information they decide to sit on it until they cover their asses. Typical.
The only way yo be safe is to pirate.
Anything else puts you at unnecessary risk.
Never buying a Roku product ever again. Their TVs used to be a good deal but I’ll play a premium for something else next time.
Hey, at least their research is focusing on serving you ads through HDMI instead of security, so even if you're not using the Roku, you can still get their ads over HDMI.
You don't need security if you're a virus...
I'm thankful Roku has had data breaches. Mostly because I have a Roku TV that was somehow compromised and now, even after a couple of years and several full factory resets, whoever used my throwaway account signed up for all the streaming services at the highest tier. Hard to be mad when I havent had to pay for anything.
And no, before anyone says anything, it's not putting my home network at risk, as it's just the Roku account that's compromised. Nothing tied to me personally, not even a card/address on the account, so I just chalk it up to "as long as it keeps working, Im not worrying about it".
Free stuff is great and all, but I imagine they’re using a stolen CC to pay for those subscriptions and they’re exploiting someone who’s not great at paying attention to their credit card bill.
You may want to report it so that someone isn’t getting fucked over.
Do not report it, Roku won't investigate financial fraud, but they will kick you out.
They will boot your account if you contact CS and say “my account has been compromised?”
At worst, they might cancel the subscriptions. I imagine trying to give the money back (get the charges reversed) is the labor intensive part.
Exactly. Having been on the CS side of the house for stuff like this, I can’t imagine they would penalize the customer for coming forward. Customer service ain’t got time for that. They’re going to remove the card, reset the password, and maybe report the card.
Taking money from someone else’s bank account is a shitty thing to do. I don’t know why anyone here would be in support of not reporting this.
My account is with mailinator (free throwaway email) and I'm hopeful someone does this for me. That sounds quite nice.
But it’s probably using a stolen CC. I wouldn’t feel too great about using someone else’s credit card without their knowledge. I’d report it and try to get the card suspended.
I used to blame my cousin, as she has a raging drug addiction and does shady crap like steal people's credit cards/checks and it was only after she had been over that I had noticed. But nope, still going despite time and resets. If I knew a way of pulling login info off the TV, I'd probably share it, because hell, why not.
This is not a "Roku data breach."
This is a use of compromised user credentials, with Roku as the target.
Yeah, but they don’t have contemporary best practices in place that would’ve reduced their exposure to this.
The only thing that would have prevented this in this context would be mandatory MFA. Did they have that? No, but there's a huge number of places that are way more sensitive than a streaming platform that don't have mandatory MFA (coughETradecough).
It is wholly misleading to characterize this as a "Roku data breach," and it's disingenuous to portray Roku in this instance as somehow glaringly worse than everyone else.
Wouldn't salted hashes have prevented this?
You just add some extra characters to every password before hashing and then stolen hashes and rainbow tables don't work any more.
In other words, I think ghostalmedia is correct, best practices would have prevented this.
No. Nobody has stolen hashes. They have usernames and passwords collected from elsewhere, that they tried against Roku, because people tend to reuse usernames and passwords.
Ugh... Who is still storing passwords in the clear... For fuck sake...
That doesn’t have anything to do with it, really. There’s plenty of ways that credentials get “leaked,” not the least of which is users who reuse passwords also falling for scam emails that have them “log in” to something. It could matter if some specific credentials were initially acquired because some other place was storing clear text passwords, and that place had a breach.
Still wouldn’t be an issue at all if users didn’t reuse passwords. That’s the lynchpin. This is users’ fault, not Roku’s.
Exactly, that was my assumption.
After all, reusing passwords for multiple sites becomes a problem as soon the password becomes known. But for that password to become known, some site had to either allow the plaintext password to be leaked, or an unsalted hash. Or the site has to allow for insecure (easily guessable) passwords to be used.
Reusing passwords is undeniably the user's fault, but only because some other site's security measures may also have been negligent.
Will be interesting to see how people react when Netflix rolls out mandatory two factor auth for logins.
i believe that data breaches are so frequent, that we now have a dedicated community to post these.