Roku data breach: Over 15k accounts affected
claimdepot.comSure wish CISA and SEC would effectively monitor and fine companies that suffer data breaches. After all, we're not being paid for that data, yet we remain the victim of their actions.
Reporting requirements exist [1], civil and criminal penalties will require Congressional action.
Definitely gross that companies are using forced arbitration to avoid liability for their breaches (first 23andme, now Roku). Call your congressperson. Also, if you are impacted/have standing, consider an FTC complaint [2] and contacting your state’s attorney general.
> Call your congressperson.
I'm sure that after my phone call, my congressperson will drop all the things he is being paid thousands of lobbying dollars to do on behalf of his donors to get right on this. Sorry for the snark, but normal people are powerless to do anything about these shenanigans.
Medicare drug negotiations and $8 credit card late fee payments are my rebuttal. You aren’t supposed to fix it; you’re bringing it to the attention of leverage who can. Phone call is free besides your time.
Super cynical. Those people hold outsized power, but they are not invincible by any stretch of the imagination. We hold the power in that we elect the public officials. They care about what we think also.
> We hold the power in that we elect the public officials.
Very optimistic attitude!
Is it? Just a plain fact. At least in the US
I don't know what you mean by "fact", but your vote certainly holds less proportional power to influence a politician than that of 1/(population of the us). Politicians straight-up don't care about your opinion unless you can show up as a meaningful horde, and judging by the reaction to the Israeli invasion of Palestine that doesn't hold much water either.
I literally said that other interests hold outsized power. Not sure what your goal is here.
I guess I read your comment as contradicting itself by the phrase "the power" rather than "the illusion of power", especially since the american public is so easily distracted by petty squabbling, whereas capital is emphatically not easily distracted but extremely focused on what it wants.
Anyway, I don't mean to start an argument over the power of voting, illusory or no. We all have opinions about the value of voting that we hold rather tightly given so much emphasis is placed on it as the center of the political power we do hold.
there have been a bunch of studies that show votes follow the donations, and the majority of folks aren't donating much.
First step, stop buying or using any product that monetizes your data
Second step: become proficient at bushcraft, because thats where youll be spending the rest of your life after following step one.
Not to keep running with thr joke, but:
- while a total lockdown on exposure control of your personal data is basically impossible, proactive choices do limit it shouldn't be dismissed out of hand
- a working knowledge and practice of bushcraft can be a useful skill, a fulfilling hobby, and can be practiced without feeding money to whatever the flavor of the week is
- conversely, if you do get into that, be prepared for profiteers in that field to push into your attention. Going all bushcrafty is no protection on its own.
This is functionally impossible in much of modern society.
Maybe modern society was a mistake.
how much time have you spent in a non-modern society? cuz I got deployed twice and saw some pretty backwards-ass places overseas.
like we can just pass laws that respect privacy, dawg. build some better public transit.
That’s pretty tough to argue by any measurement I can think of.
Is this not just credential stuffing?
The article cites these two sources[1][2] which say
> Unauthorized individuals using account credentials believed to have been obtained from third-party source(s) were used to access individual customer accounts
[1] https://apps.web.maine.gov/online/aeviewer/ME/40/e9cc298b-37...
[2] https://oag.ca.gov/system/files/Template%20Notification%203-...
> potentially affecting 15,363 individuals in the United States, including 76 in the state of Maine.
Odd that Roku singles out the 0.5% of users affected within the state of Maine. Must be related to some sort of Maine data breach law? I didn't dig too deeply, but not seeing anything explicitly called out in their statutes [0].
[0] https://legislature.maine.gov/legis/statutes/10/title10sec13...
This just looks more like Roku had identified significant amounts of credential stuffing across customer accounts. As opposed to someone breaking into the back end of Roku and leaking customer account details.
It could also be targeted credential stuffing given recent events. An interesting tactic to create problems for a company.
I'm not saying Roku is a good company, but this isn't really a data breach but poor credential management by customers.
Looks like Ars Technica called it:
Roku is also taking heat for using forced arbitration at all, which some argue can have one-sided benefits. In a similar move in December, for example, 23andMe said users had 30 days to opt out of its new dispute resolution terms, which included mass arbitration rules (the genetics firm let customers opt out via email, though). The changes came after 23andMe user data was stolen in a cyberattack. Forced arbitration clauses are frequently used by large companies to avoid being sued by fed-up customers.
https://arstechnica.com/gadgets/2024/03/disgraceful-messy-to...
If enough people do it, forced arbitration can actually end up being expensive for the company. iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.
I wonder how Roku would react if every Roku user filed an arbitration case since your data was at risk.
The Roku lawyers seem to be defending specifically against this.
The new terms have language that say that if enough people enter arbitration at the same time, they have to do one big "mass arbitration."
Wow so they will tell an entire group of people to pound sand at the same time. Neat
> iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.
Twitter, in relation to arbitration with employees it terminated? https://arstechnica.com/tech-policy/2023/07/twitter-refuses-...
I remember this happening with Inuit in 2020
> Judge Breyer suggested at the Dec. 17 hearing on the proposed class action settlement that Intuit has only itself to blame for its mass arbitration predicament. “You knew what the rules of arbitration were. You knew all these things. And you elected - you elected to go to arbitration. And you fought fairly, vigorously, and it turns out correctly, that you had this right to insist on arbitration,” the judge told Intuit counsel Rodger Cole of Fenwick & West. “Now you come in, when you see how it is unfolding, and say: ‘Not so fast … Now we want to turn and do something else.’”
https://www.reuters.com/article/legal-us-otc-intuit/judge-br...
That recent push by Roku for accepting updated EULA around arbitration makes quite a lot more sense
For those who don't know, just a week or so ago Roku amended the arbitration clause of their terms of service and soft-bricked every Roku in the US until you Agreed to the new terms. This even extended to TVs from other brands with Roku software, making the TV non-functional even as a dumb display since the Roku software controls input selection AND would ignore any HDMI-CEC commands. I guess we know why now.
There is a 30-day window after agreeing where you can mail them a letter opting out of the new arbitration agreement.
https://cordcuttersnews.com/roku-issues-a-mandatory-terms-of...
My kids have been watching TV, they must have accepted it on my behalf. They should have required the parental control pin to accept it.
Can anyone who understands legal stuff explain this? As a layman Roku’s popup seemed wildly insufficient verification that the account owners were the ones accepting these TOS.
Not an expert but have worked on similar stuff and there’s no specific controls that I know of around specifically verifying that the account owner sees these things, just that they’re made available and the account is notified.
not legal, but yes theyll probably get sued for this.
The whole point of having a quick, online opt-in and an elaborate "mail us a notarized letter" opt-out is to make it very easy to opt in. Why would they want to make it harder? They're already on dodgy legal ground, and the "enter your PIN" wouldn't make it much firmer.
You're thinking like an engineer given the problem of "get people's consent" instead of like a businessman with the goal of "altering the deal."
Someone else pointed out that they can’t even prove it wasnt a dog who agreed by chewing on the remote. Yet somehow these clicks are still considered to legally bind the owner.
Surely it’s just a happy coincidence that Roku hamfistedly decided to force all customers into arbitration before disclosing a breach…
These lawyers who come up with these schemes never seem to consider capacity planning.
Forced arbitration? Much better than an expensive lawsuit.
Except when hundreds to thousands of people want arbitration and since the company wanted arbitration, we have to foot the bill... Yikes.
Hmmm. Fix the arbitration scaling problem by changing to forced mass arbitration. But the users will have to send in a letter to opt out of the new agreement.
Roku has 80 million+ accounts.
What happens when even one percent of those account opt out? Put on your "grudgingly-pay-the-outrageous-fine-with-pennies" hat and I'm sure you can come up with ways to increase the difficulty level of receiving many letters opting out of this new agreement.
My Roku-enabled TV used to bootloop whenever I blocked it from fetching screensaver ads. Support was happy to help. First step: (re)connect to the internet. Second step: disable any network ad blocking. Hmmmmm.
People rolled their eyes when I suggested that this was intentional, but these recent revelations strongly suggest that Roku is very comfortable exploiting the hell out of dark patterns.
If we don't enact stronger consumer protections, everything will work this way.
For years, it has been the case that, when booting up the Roku, the highlighted item would often be a link that would install an app. My kids have accidentally installed so many things. When I tried to remove YouTube, it suggested it below the installed apps, and the kids re-installed it, without having a clue what they were doing and were confused as to why it now showed ads (logged out), when before it didn't (logged in with Premium).
In the "old days," the junkbuster proxy used to return a 128x32(?) blank gif in lieu of an actual block because the page layout would :fu: if the ad wasn't in place and correctly sized. I could easily imagine that might help your situation, too
Don't misunderstand me: it's 100% atrocious that any device bootloops if some ad network 403s, but on the spectrum of "spit into one hand..." and nginx in the other ...
Haha, yes, that would be something to try, but in the meantime I upgraded monitors and the new one does not have Roku or any of Roku's problems. Yet. If Roku gets away with it this will be everywhere.
This is absolutely glorious.
Days after forcing it's users into mandatory arbitrations this comes out.
Would be awesome if holding someone's TV hostage until they agree to not sue you was illegal.
I hope some regulators ask for proof that the breach was “after” and not “the cause of”. It would not shock me to learn that this was the same playbook 23andme used.
Looking at the state of things I doubt it would make a difference. Roku might pay a nominal fine at most.
This breach is suspiciously close to their new forced arbitration in their terms of service.
I wonder if the obviously coordinated nature of this change will come back to bite them in the ass. It seems hard to believe that it was a good-faith change on their part.
Also, the breach happened while people were receiving services under the old TOS, not the new one. I wonder if that could impact things?
Related: Ask HN: Fighting back against Roku's forced arbitration?
https://news.ycombinator.com/item?id=39503941 (2024-02-25)
It's related as in they are both things about Roku but it's too early to tell if these two events are actually related in some more meaningful way.
The timing is sort of hard not to be suspicious of though, right?
In business, if the consumer gets shafted it hard, it not a coincidence.
Changing terms after the fact does not change the terms that were being operated under during the time of the breach.
If you agree to all disputes going through arbitration then all disputes go through arbitration
One after the other, can we all assume now that a data breach for any company is not an "if" anymore, just a "when"?
Yeah, this sort of thing must make business harder to do. At least, I try to avoid putting my card into any service I can avoid.
Card won’t be charged during the free trial? Don’t need another copy out there!
Could that be a reason they amended their terms and conditions in such a draconian way?
Why does this notification say passwords were compromised and not password hashes? Certainly Roku engineers were better than that?
These are most likely people with easy guessed passwords like “password”. The notification suggests the attackers purchased these email/password combos in bulk. That’s likely all this is.
> As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.
how limited and what subs
So, I guess this must be why they changed their TOS.
It sure would be nice to know what was exposed in the hack. Given they are an advertisement company.
This is your regular reminder to audit your password manager for accounts you no longer need, and then go and have those accounts deleted.
Of course you can't guarantee that your data will actually be purged, or that it hasn't already been compromised from these places - but less exposure is better than more exposure, right?
I'm sorry, after 20 years of data breach alarmism, and resulting de minimus consequences, isn't time for some of this to get a "who cares?"
I think theres actually a huge industry around buying and using the information stolen in these breaches? Identity theft is a pretty big problem no? This seems like a really weird take.