Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content

If you think you’ve been targeted by a scam, get information and assistance from the AARP Fraud Watch Network Helpline.

Content starts here
CLOSE ×
Search
Popular Searches

Games

Car rental

AARP daily Crossword Puzzle

Hotels with AARP discounts

Life Insurance

AARP Dental Insurance Plans

Travel

Suggested Links
Help Show me my account info Change my Address How do I contact AARP? Where is my membership card? How do I get a digital card?
Red Membership Card

AARP MEMBERSHIP

AARP Membership — $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products, hundreds of discounts, a free second membership, and a subscription to AARP the Magazine. 

 

120x30-AARP-logo-red
Join
Renew
Enroll
Rejoin

AARP en Español

Join
Renew
Enroll
Rejoin
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Continue Cancel

Hackers Steal Almost 600,000 Account Records of Streaming Service Giant Roku

Cable-TV cord cutters should take steps to protect their data

By

Edward C. Baig,

 
AARP
Comments
Published March 12, 2024
/ Updated April 12, 2024
roku image on a tv
Tiffany Hagler-Geard/Bloomberg via Getty Images

In this story

591,000 records stolenDon’t reuse passwords • Account passwords resetWhat to do

TV streaming giant Roku disclosed April 12 that around 576,000 additional customers' accounts had been hacked, just about a month after it said more than 15,000 users' data had been compromised.

Last year, Roku said adults 50 and older were watching 40 percent of its total minutes streamed as of May 2022, and that age group was growing faster than any other. 

During the initial breach, stolen credit card data was used to purchase streaming subscriptions in some cases and stolen account records were sold for as little as 50 cents each, according to the online information security and technology news site BleepingComputer. Roku notified the California Department of Justice on March 8, saying the data breach occurred between Dec. 28 and Feb. 21.

In the latest incident, “there is no indiction that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident,” the company said.

Are you using unique passwords? Hackers will check

The bad guys unleashed what security pros refer to as a “credential stuffing” attack in which they use stolen usernames and passwords from one platform to try to log into accounts elsewhere. The attack can be effective since many consumers reuse the same or similar login credentials across multiple services, considered a security no-no.

The San Jose company is a leading name among cord cutters, who use Roku-branded televisions or plug-in streaming devices to connect to Amazon Prime, Apple TV+, Hulu, Netflix and all the popular streaming services. Roku also operates its own channel with free TV shows and movies.

Just this week, Roku announced a new lineup of Pro Series televisions and a new backlit remote control so customers can use it in the dark.

Most Popular

Back in March, Roku emailed a statement to AARP that said its “security team recently detected suspicious activity that indicated a limited number of Roku accounts were accessed by unauthorized actors using login credentials obtained from third-party sources (e.g., through data breaches of third-party services that are not related to Roku).” Roku added that, “in response, we took immediate steps to secure these accounts and are notifying affected customers.” 

As part of that investigation, the company determined that once gaining access to the stolen account credentials, the criminals “changed the Roku login information for the affected individual Roku accounts, and in a limited number of cases, attempted to purchase streaming subscriptions.”

No Social Security numbers, birth dates imperiled, Roku says

Roku claims that the hackers were not able to access customer Social Security numbers, full payment account numbers, dates of birth or other sensitive personal information. It also says it is continuing to monitor for signs of suspicious activity.

The company reset passwords on any accounts where evidence suggested those accounts were part of the breach. To log in after a company password reset, go to my.roku.com and use the Forgot password? option on the sign-in page.

Roku is refunding or reversing the charges on accounts where hackers purchased streaming subscriptions or Roku hardware.

“We also want to reassure customers that these malicous actors were not able to access sensitive user information or full credit card information,” Roku said.

Roku has more than 80 million active accounts, so the number of consumers apparently affected is less than 1 percent. Still, given this latest announcement, customers should not assume they evaded the crack in Roku’s security.

What can you do?

As always, practice robust digital security hygiene.

Create strong passwords that are not repeated across any of your other online accounts. Roku recommends a mix of at least eight characters, including numbers, symbols, and upper- and lower-case letters.

Review the subscriptions and devices linked to your Roku account, which you can see on your account dashboard. Periodically review statements for all your accounts.

Remain vigilant and report any suspicious activity to Roku and other companies you do business with.

Contact Roku with questions about the incident by calling 816-272-8106 or emailing account-help@roku.com.

Consider obtaining your credit reports from one or more among Equifax, Experian and TransUnion. You can also obtain a free credit report online at annualcreditreport.com or by calling 877-322-8228.

Think about a credit freeze on your file to prevent new credit cards from being opened in your name.

Report other suspicious activity to the Federal Trade Commission, your state’s attorney general office or law enforcement.

This story, originally published March 12, 2024, has been updated with the news of a second Roku breach.

Edward C. Baig covers technology and other consumer topics. He previously worked for USA Today, BusinessWeek, U.S. News & World Report and Fortune, and is author of Macs for Dummies and coauthor of iPhone for Dummies and iPad for Dummies. Follow him on LinkedInThreads; and X, formerly known as Twitter.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?

Most Popular

Benefits Recommended For You

See All