Roku Makes 2FA Mandatory For All After Nearly 600K Accounts Pwned (theregister.com) 26
Roku has made two-factor authentication (2FA) mandatory for all users following two credential stuffing attacks that compromised approximately 591,000 customer accounts and led to unauthorized purchases in fewer than 400 cases. The Register reports: Credential stuffing and password spraying are both fairly similar types of brute force attacks, but the former uses known pairs of credentials (usernames and passwords). The latter simply spams common passwords at known usernames in the hope one of them leads to an authenticated session. "There is no indication that Roku was the source of the account credentials used in these attacks or that Roku's systems were compromised in either incident," it said in an update to customers. "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials."
All accounts now require 2FA to be implemented, whether they were affected by the wave of compromises or not. Roku has more than 80 million active accounts, so only a minority were affected, and these have all been issued mandatory password resets. Compromised or not, all users are encouraged to create a strong, unique password for their accounts, consisting of at least eight characters, including a mix of numbers, symbols, and letter cases. [...] Roku also asked users to remain vigilant to suspicious activity regarding its service, such as phishing emails or clicking on dodgy links to rest passwords -- the usual stuff. "In closing, we sincerely regret that these incidents occurred and any disruption they may have caused," it said. "Your account security is a top priority, and we are committed to protecting your Roku account."
All accounts now require 2FA to be implemented, whether they were affected by the wave of compromises or not. Roku has more than 80 million active accounts, so only a minority were affected, and these have all been issued mandatory password resets. Compromised or not, all users are encouraged to create a strong, unique password for their accounts, consisting of at least eight characters, including a mix of numbers, symbols, and letter cases. [...] Roku also asked users to remain vigilant to suspicious activity regarding its service, such as phishing emails or clicking on dodgy links to rest passwords -- the usual stuff. "In closing, we sincerely regret that these incidents occurred and any disruption they may have caused," it said. "Your account security is a top priority, and we are committed to protecting your Roku account."
2fa to view TV? Better to just pirate content! (Score:3)
2fa to view TV? Better to just pirate content!
Re: (Score:2)
Mebbe they could tag that to the commercials, forcing you to use a 2FA that also involved getting some rando number at the end of the ad.
Re: 2fa to view TV? Better to just pirate content! (Score:2)
It's just to log in Roku accounts, so it would only happen when logging into the Roku website or associating a newly-purchased Roku device/television with your account.
An easier solution would just be to stop storing payment information for users at all as it's of pretty limited usefulness for customers. I don't believe Roku has a paid media store like Amazon and Google, so people are very rarely going to be making credit card payments to Roku as a company. Its main use now of simply for buying additional R
Re: (Score:2)
I think this is a good solution. Or you could you could do 2fa for important things like taking money out of my account. But things like logging on to watch television or playing a game don't care, stop complicating simple things.
But of course that would make making a payment a hassle and people might buy less, better to make it a worse every time you log in.
Re: (Score:2)
I don't believe Roku has a paid media store like Amazon and Google
IIRC, Roku Channel has some paid options. I am sure that it offers the same "subscribe to HBO/Paramount/whatever" features that Amazon/Google offer. So yes, they have a need to process recurring payments.
Re: (Score:2)
2FA is a royal pain in the ass here. And most places. Once turned on you can't turn it off if you lose a phone, or don't have access to the original number, or a hacker has replaced the phone number with a different one. That can keep you permanently locked out of your own account, and has happened to some relatives accounts. I have played tug of war before on hackers who've kept changing contact information with their own, requiring getting on the phone with the company to ensure it's all fixed, and ma
Re: (Score:2)
Ah, it didn't ask me about using 2FA, or asking for phone number. Apparently, my email is the 2nd factor here, because it authenticated me via a link sent in email? Or they have not yet required the 2FA that the article says they're requiring?
I did delete credit card info that was there though.
Re: (Score:2)
Updating, this is from Roku:
As a part of our ongoing commitment to information security, we have enabled two-factor authentication (2FA) for all Roku accounts, even for those that have not been impacted by these recent incidents. As a result, the next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account.
Re: (Score:2)
Rabbit ears.
Re: (Score:2)
consisting of at least eight characters, including a mix of numbers, symbols, and letter cases
Who wants to keep typing a password like that into a device with no keyboard?
More work for me! (Score:5, Insightful)
Re: (Score:2)
And we shouldn't need a Roku account to watch TV if we don't pay for services.
I shouldn't need an account to use my TV... (Score:3)
At this point, I believe it's likely that most of Roku's never actually "chose" them as opposed to being stuck with them by a manufacturer.
Roku is a wholly unproductive that created a predatory wedge in the supply for Television. Being unproductive is bad but they're not just a pointless company cleaning some dirty revenue. Their very existence is hurting their user base...why is that allowed to continue? Why is Roku allowed to do business in civilized society when they have NOTHING to offer their userbase except risk.
Re: (Score:2)
I just bought the TV that was the best deal at the time and it had a Roku built in.
Could it be that it was the best deal because it had a discount from Roku as a form of customer acquisition?
Excuse my ignorance, is it possible to use the TV as a dumb display through the HDMI port (without logging into an account), and watch contents from another streamer box?
Re: (Score:2)
Excuse my ignorance, is it possible to use the TV as a dumb display through the HDMI port (without logging into an account), and watch contents from another streamer box?
That is exactly how I use my Roku tv. I was almost ready to return the tv the first time I powered it up. Any signal through the hdmi ports was laggy and the antenna signals were almost non existent. So reluctantly I connected an ethernet cable and tried to allow it to update. Their dhcp implementation was very broken. It would accept an ip address but substitute it's own default route and of course fail. So it finally took setting a static dhcp lease and then it updated successfully. I immediately unplugge
Re: (Score:2)
I also noticed Roku's YouTube app shows login screen these days. Have to pick guest to skip the login (don't want this).
Re: (Score:2)
Nobody Ever Wanted a Roku Account (Score:4, Interesting)
I can see why Roku themselves don't care about ruining it all (for their customers) by becoming a big streaming player, which they could leverage to get onto other platforms and stop doing all that hard work of making their own good hardware (Hell, maybe even sabotage Rokus for competing services or stop supporting them). But in the long run wouldn't that inevitably devalue their most valuable business segment (hardware), and probably leave them in a much worse position as "just another streaming service" on platforms owned by someone else (Google/Apple/etc.)?
P.S. When I set up my Roku 3 a decade ago, it demanded I give it a pointless Roku user/pass and credit card number. There was an alternate activation URL that bypasses the CC# requirement, but you'd only learned it if you were pissed off enough to call Roku tech support (or simply google for it, as I did). So back then Roku's ambitions were merely a temporary annoyance, but that has clearly changed for the worse.
Good (Score:1)
Welcome to the future. I actually appreciate it when an app I haven't used in a while just skips asking me for a password and sends me an email to both verify my identity and log me in. If Roku does it well, then it can be fine... easier than painfully typing in a password with a TV remote, actually.
Re:Good (Score:4, Funny)
Why would I care about securing my Roku account?!? (Score:3)
I mean, seriously... I don't use any paid services on it. If someone wants to "hack" my account to re-watch the Weird Al movie on the Roku Channel instead of spending 5 minutes to create their own account, have at it.
Lovely (Score:1)
Oh well (Score:1)
Re: (Score:1)
This shit is a royal fucking pain in the ass.
There isn't one system. There is so many of them. Each with there own issues.
SMS is slow, requires an active phone, and has been shown to be insecure.
Email isn't better.
Then there is the ads filled auth apps.
And even if you find a good one of those, the service might not even allow it to be used.
The incredibly overpriced "security" keys.
There is things like Steam that don't seem to follow any standard