Roku has disclosed a data breach impacting over 15,000 customers after hacked accounts were used to make fraudulent purchases of hardware and streaming subscriptions.

However, BleepingComputer has learned there is more to this attack, with threat actors selling the stolen accounts for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases.

On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack. 

A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case, Roku.com.

The company says that once an account was breached, it allowed threat actors to change the information on the account, including passwords, email addresses, and shipping addresses.

This effectively locked a user out of the account, allowing the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.

"It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts," reads the data breach notice.

"As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts."

"After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.

Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident.

Additionally, the platform's security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders.

Legitimate account holders who got hijacked must visit "my.roku.com" and click on 'Forgot password?' to get a reset link on their email.

After accessing the account, head to the Roku dashboard and review the activity, connected devices, and active subscriptions to ensure everything is legitimate.

Unfortunately, Roku does not support two-factor authentication, which prevents hijacks even in the case of credentials compromise.

Roku accounts are only worth 50 cents

Roku is a digital media and streaming content company offering streaming sticks and boxes, home automation kits, sound bars, light strips, and TVs running its specialized OS, allowing users to access services like Netflix, Hulu, and Amazon Prime Video.

To generate revenue, Roku also allows customers to purchase streaming subscriptions directly through their Roku account. This enables customers to manage all their streaming services through one account.

However, when adding a subscription, Roku stores customers' credit card information in their online accounts so that they can easily be used for future purchases.

BleepingComputer has learned that numerous threat actors are conducting credential stuffing attacks using the Open Bullet 2 or SilverBullet cracking tools.

These programs allow you to import custom configs (configuration files) that are created to perform credential stuffing attacks against specific websites, such as Netflix, Steam, Chick-fil-A, and Roku.

A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers.

Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents, as seen below where 439 accounts are being sold.

The seller of these accounts provides information on how to change information on the account to make fraudulent purchases.

Those who purchase the stolen accounts hijack them with their own information and use stored credit cards to purchase cameras, remotes, soundbars, light strips, and streaming boxes.

After making their purchases, it is common for them to share screenshots of redacted order confirmation emails on Telegram channels associated with the stolen account marketplaces.

Recently, Roku has been under fire for making changes to its "Dispute Resolution Terms" and preventing customers from using their streaming devices until they agree to them.

These new terms force customers to first handle any complaints through an in-person, phone, or video call with the company's legal representatives before a claim can be filed in arbitration.

However, as shown in the image above, there is no way to continue using a Roku streaming device without first agreeing to the terms.

A source told BleepingComputer that the new Dispute Resolution Terms are in part related to the ongoing credential stuffing attacks and financial fraud being conducted through the hacked accounts.

Update 3/11/24: After the publication of our article, Roku disputed what we we were told, stating that the new Dispute Resolution Terms are not related to the hacked accounts and fraudulent acitivities.