Skip to main content
  1. Home
  2. Audio / Video
  3. News

Roku closes the barn door, badly, after a half-million accounts are compromised

By
Roku Streaming Stick 4K.
Phil Nickinson / Digital Trends

I gave Roku a bit of a hard time in March after it came to light that some 15,000 accounts were affected in a security breach. To be fair, that breach wasn’t entirely Roku’s fault because it was done via credential stuffing. That’s the method by which credentials are used from some other leak and just tried in various other services in hopes that you’ve reused a password somewhere. That attack netted more than 15,000 hits.

That’s bad enough. Worse was that Roku still didn’t have two-factor authentication, which would have required the evildoers to have a second set of credentials and could have prevented many of the unauthorized entries.

Recommended Videos

But apparently things actually got worse from there. Roku today announced that the investigation into the 15,000-account breach uncovered a second attack, “which impacted approximately 576,000 additional accounts.” (For context, Roku had 80 million active accounts at the end of 2023.)

Like the first attack, Roku says that “it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.” In other words, more credential stuffing. Roku says that fewer than 400 cases saw unauthorized purchases or streaming subscriptions using the payment methods that were attached to those accounts.

All of that is bad. Very bad, actually. (Especially for the 400 accounts that actually saw money change hands.)

Roku finally enables 2FA, sort of

If there’s any good news to come from this, is that’s Roku has finally enabled two-factor authentication. Sort of. First, here’s what Roku had to say in its post announcing the second breach:

“As a part of our ongoing commitment to information security, we have enabled two-factor authentication (2FA) for all Roku accounts, even for those that have not been impacted by these recent incidents. As a result, the next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account.”

That second part is important. The main two-factor authentication Roku has implemented is that it will send you a link, via email, as the secondary form of authentication. That’s better than nothing. You also can enter the last five digits of your device ID if for some reason you can’t get to your email to click the link.

The email you get if you try to log in to your Roku account.
Roku will now send you an email with a unique, single-use link when you try to log in to your account. Phil Nickinson / Digital Trends

What you don’t get is any options. You can’t choose whether the two-factor authentication is done by “magic link” (wherein the company sends you a temporary link to approve access), or time-based code via SMS or authenticator app. Or some other method. That’s not the end of the world, I suppose. An emailed link is fairly frictionless — provided that the email account itself isn’t also compromised.

But it’s also not without issues.

Post-2FA device activation

Just to test things out, I reset my Roku account password. All subsequent logins have ended up with Roku sending me a email with a link to click, just like Roku said would happen. That works fine in a web browser. I log in with my email and password, then wait a couple seconds for Roku to send me a link to click. Same goes for logging in to the Roku app.

The email received after manually entering your email address when activating a Roku device.
The email received after manually entering your email address when activating a Roku device. Note how it looks different than the email you get if you used the QR code. Phil Nickinson / Digital Trends

But I ran into issues trying to log in to a Roku streaming stick after a hard reset. There are two options here. With one, the Roku device can display a QR code on the TV. Scan it with your phone, and you’re prompted to log in using your email and password. Easy enough. And that login will send you a link via email that you have to click before you’re actually able to do anything on the device you’re trying to activate. Only, it doesn’t appear that the authentication is returned to the device.

But if you choose the option by which you manually type your email using the Roku remote, you’ll be sent a different-looking email. Click that link, and your Roku device will authenticate and activate, just as it should. In other words, it looks like the QR code method is trying to log you in to your account, while the manual method is trying to properly activate the device.

Roku says it’s looking into this part.

The really frustrating part

This really shouldn’t be that difficult. Two-factor authentication is not particularly new. And while any 2FA obviously adds a layer of complexity to any login scheme — and if Roku is known for anything, it’s simplicity — 2FA is also the sort of thing that users have gotten used to over the years.

Roku needs to do a few things. Foremost is that it needs to fix the device authentication. It’s simply broken if you try to use the QR code. (The good news is that should be a server-side fix.) It should allow you to choose your method of authentication. That likely would take a little longer to roll out. But given that Roku should have had proper 2FA set up years ago, that’s hardly an excuse.

Security is always going to be an uphill battle. It’s too easy for the bad guys to play offense. Defense is costly and time-consuming. But it’s not getting any less important. Roku still needs to do better.

Topics
Phil Nickinson
Phil Nickinson
Section Editor, Audio/Video
Phil spent the 2000s making newspapers with the Pensacola (Fla.) News Journal, the 2010s with Android Central and then the…
Best headphone deals: AirPods, Sony, Sennheiser and more
Beats Studio Pro sitting on travel case.

There are a lot of headphone deals to shop right now, and among them are some impressive Beats headphone deals, AirPods deals, Bose headphone deals, and Sony headphone deals. This is great news if you’d like some audio privacy throughout the day or if you’d like to experience your home theater in a more immersive way. With so many headphone deals to choose currently available we thought we’d round up all of the best headphone deals for your shopping convenience. Reading onward you’ll find some serious discounts on popular headphone models, and if you’re looking for some cool devices to pair them with you can also shop TV deals, gaming console deals, phone deals, and tablet deals.
Apple AirPods 2 -- $80, was $129

Apple has long been known for making premium tech products that please the eye aesthetically and produce a simple yet impactful user experience. This is true of the Apple AirPods 2, which, despite being a few years removed from their original release, still hold up as a great set of wireless earbuds. Just like their newer iteration, the Apple AirPods 3, the AirPods 2 produce high quality audio that pack a punch whether you’re playing games, listening to music, watching movies, or relaxing with a podcast. It has an H1 chip that delivers a stable wireless connection, and manages to produce high-quality sound far better than many other wireless headphones. Battery life is about as good as it gets, with the AirPods 2 offering up to five hours of listening time on one charge, and more than 24 hours with the included charging case.

Read more
Best Vizio TV deals: Cheap smart TVs starting at $150
vizio 55 inch oled 4k tv deal black friday 2020

If you’re in the market for both a new TV and some affordability, Vizio is one of the best TV brands to turn to. You won’t often find any of its models among the best TVs, but that’s not what Vizio is aiming for. It makes quality TVs with impressive and immersive images for their price point, and it often produces affordable alternatives to what you’ll find among Samsung TV deals, Sony TV deals, LG TV deals, and even TCL TV deals. But there are many Vizio TV deals available as well, bringing its prices down even further. We’ve rounded up the best Vizio TV deals you can shop right now below, and if you aren’t finding the right Vizio TV for you the current 65-inch TV deals, 70-inch TV deals, 75-inch TV deals, and 85-inch TV deals may have something you’re looking for.
Today’s best Vizio TV deals
Vizio makes a full lineup of TVs, from large screens to more modest sizes, and from 4K showstoppers to high definition bargains. One of the lowest prices on a Vizio TV can be found in the Vizio D-Series 32-inch HD TV. And while it would make a nice addition to any apartment looking to house a new TV, there are some Vizio 4K TV options to take a look at as well.

Vizio 24-inch D-Series 1080p HD TV --
Vizio 32-inch D-Series 1080P HD TV --
Vizio 43-inch Quantum 4K QLED TV --
Vizio 50-inch V-Series 4K TV --
Vizio 65-inch 4K TV --
Vizio 50-inch MQX-Series 4K QLED TV --

Read more
Earfun Air Pro 4 ANC earbuds go all-in on hi-res, lossless, and Auracast for under $100
Earfun Air Pro 4.

Earfun has announced the Air Pro 4 -- its latest noise-canceling wireless earbuds -- in black and white versions. And though the $90 Air Pro 4 might look very similar to the Air Pro 3, Earfun has made some significant changes with this new generation, including offering a choice of hi-res audio and lossless Bluetooth codecs. There's also a promise of Auracast support. The new earbuds will be available August 5 from Amazon and other retailers.

Plenty of wireless earbuds now come with some kind of support for hi-res audio. Sometimes they'll use Sony's LDAC codec, which has been baked into Android since version 8.0, or more commonly, they'll incorporate Qualcomm's aptX Adaptive technology. Some high-end models, like the Sennheiser Momentum True Wireless 4 add in Qualcomm's Snapdragon Sound, which comes with the company's aptX Lossless codec for CD-quality audio when used with a compatible phone -- but then that invariably means there's no LDAC option.

Read more