[HN Gopher] Roku says hackers gained access to 576k accounts in ...
___________________________________________________________________
Roku says hackers gained access to 576k accounts in latest data-
breach incident
Author : fortran77
Score : 120 points
Date : 2024-04-14 14:23 UTC (8 hours ago)
(HTM) web link (www.wsj.com)
(TXT) w3m dump (www.wsj.com)
| cjk2 wrote:
| Arrr another one up for the pirates. Privacy it is!
| SketchySeaBeast wrote:
| If we trust what the company says, it seems like it's another
| one for using a password manager.
| kalaksi wrote:
| No need for passwords if there's no need for an account
| notatoad wrote:
| i mainly use my roku to watch pirated tv shows. not sure how
| this is a win for pirates. (other than i don't really give a
| damn if somebody hacks my roku account)
| jkic47 wrote:
| I cancelled my account after the last ToS update, and my Roku is
| going into the next e-waste collection event. Fortunately, that
| password was never reused
| AnotherGoodName wrote:
| For those who read even the first paragraph it's a credential
| stuffing attack. As in people used the same username/password
| combinations that were leaked or phished.
|
| Use a password manager people.
| bdcravens wrote:
| The issue for smart devices, like TVs, is that you often have
| to type credentials in a tedious way without access to your
| password manager (other than transcribing it from your phone).
| jameshart wrote:
| Most TV apps seem to use the 'enter this code in a web
| browser' auth model which gets around that limitation and
| allows you to use your browser's password manager support.
| zamadatix wrote:
| Yep, or just "scan this QR code on your phone" and auth
| becomes the same as anything else on your phone.
| bdcravens wrote:
| It's becoming common enough, but I've set up enough smart
| TVs in the past 2 years to realize it's not universal.
| dylan604 wrote:
| The Hulu app on my ATV4k refuses to activate the keyboard
| input on my other devices like the other apps on my ATV
| do. I know this because it recently started asking me to
| re-login for whatever reason, and I have been trying to
| get my password manager password into the app without
| using the dumb remote. It just will not do it.
|
| Long winded way of saying that other devices do it as
| well
| sanitycheck wrote:
| Funnily enough, Roku now explicitly disallows this and will
| reject any paid app on their platform that tries to use it.
| (Although Netflix, Amazon, etc can do what they like as
| usual.)
| Larrikin wrote:
| The keyboard on phone is now on every smart TV platform, Roku
| included. There's no situation where I wouldn't want to go
| and fetch my phone instead of hunting down the on screen
| letters for my username and password.
| bdcravens wrote:
| Without setting up the TV partially and downloading an app?
| You can also add a bluetooth keyboard to most TVs as well.
| Larrikin wrote:
| What is the situation where the smart tv doesn't have the
| internet where you need to log in? My wifi password is
| specifically easy to input on any device.
|
| If you're already buying a smart tv device and putting it
| on your network, downloading an app that gives you better
| control over it doesn't seem like a step too far.
| Especially with phone permissions being more finely
| grained than whatever the box itself is doing.
| prmoustache wrote:
| the use passphrases that you can easily read from your
| password manager and type it.
| paxys wrote:
| You can create a password that consists entirely of lowercase
| letters that is easy to enter on such a keyboard and also
| secure. The point is to not reuse it on your other accounts.
| tmpz22 wrote:
| > that is easy
|
| Anyone who has supported digital devices for friends and
| family (especially elderly ones) knows it is in fact not
| easy.
|
| These accounts exist for the commercial benefit of
| companies. They could tie authorization to the hardware if
| they wanted to, like it used to be before the internet, but
| they don't. The idea that consumers need to do data and
| security management for the commercial benefit of
| corporations has gotten absurd. We're doing their IT for
| them, and still getting hacked even when we do it right.
| Remember Equifax? Pepperidge farms remembers Equifax.
| bdcravens wrote:
| all lower case won't pass many password requirements.
|
| That said, it's possible to come up with an easy to
| remember scheme and is unique (like
| {ServiceName}@{houseNumber} or the like).
| suzzer99 wrote:
| My mom did this with the name of the website and her
| birthday. Amazingly, hackers figured out her cypher.
| bee_rider wrote:
| It would actually be kind of interesting to have a password
| manager that generated passwords that are "nice" for
| entering with a tv remote. It would definitely reduce the
| complexity of the passwords, but then you can just go
| longer. I'd probably want rules like
|
| "Characters should be adjacent on that particular gridded
| qwerty keyboard that TVs tend to use or two-off in a single
| directions. Double characters are also ok. Long strings of
| upper or lower case letters."
|
| I guess the number of possible passwords is something like
| 26*(9^(n-1)), ignoring special characters and (rare) case
| changes. Also ignoring the edges of the keyboard, which
| probably really messes my path up because it isn't very
| tall.
| kevin_thibedeau wrote:
| You'd need 15+ lowercase characters to be close to secure.
| How many are going to do that?
| oezi wrote:
| I hate how Chromecasting is being phased out by Google over
| GoogleTV (or whatever they call it now). Just playing from
| your mobile phone alleviated this issue perfectly. Now
| Netflix for instance hijacks your cast command to force a
| login on Samsung TVs
| gessha wrote:
| Google will never come up with a branding and stick to it.
| They could've built a better walled garden than Apple but
| chose not to because it doesn't align with their financials
| _currently_ and their org is basically 100 startups in a
| trench coat all funded by ads.
| ajross wrote:
| Chromecast isn't being phased out, not sure what you mean?
| Your issue with Netflix is how the Netflix app works, it
| wants a second layer of authentication, and the nature of
| the framework (it's not just streaming video from a device,
| it's basically an app that gets beamed over so the device
| can do the streaming itself) is that they can put up
| whatever they want. Do the same thing with Youtube and it's
| seamless. Try it with AppleTV and there's no support at all
| (beyond trickery like casting a browser window). Big Tech
| can't agree on this stuff and never will as long as there's
| a garden wall to build.
| oezi wrote:
| I just meant that Google is focusing more on their
| AndroidTV/GoogleTV way of doing things (apps on the TV)
| than continuing working towards casting from mobile
| devices onto the TV.
|
| This lack of focus on Casting is certainly causing it
| feel like it is becoming obsolete. For instance many
| Android apps now have bugs when it comes to casting
| (stuttering video or the cast button only showing up when
| restarting the app).
| cdurth wrote:
| I received the email saying i was included. I use a PW manager.
| heyoni wrote:
| To generate passwords or just store them?
| noiv wrote:
| Don't like all eggs in one basket.
| nickburns wrote:
| some baskets are more secure (e.g. an encrypted database)
| than others (e.g. your head).
| jwagenet wrote:
| My head is more secure than any database, but it is lossy.
| nickburns wrote:
| head lacks sufficient memorization capacity lending to
| proneness to credential reuse--which, in this specific
| context, makes it inherently less _secure_. but i would
| agree head is _safer_ than any other basket, definitely.
| bdcravens wrote:
| I have 2 Roku TVs, and I suppose I should be deeply concerned,
| but at this point, I'm just like "meh". By this time my info has
| been in enough data breaches of supposedly more secure companies
| like Adobe and others that I feel like "defensive Internetting"
| is the only real answer (password managers, single-use credit
| card numbers when you can, etc)
| lagniappe wrote:
| my roku has had a forgotten password for years. does this mean
| there might be a record of it somewhere so i can get it?
| alephnerd wrote:
| Hats off to you.
| nickburns wrote:
| https://haveibeenpwned.com
| randunel wrote:
| Infinite captcas, that website is utterly broken.
| https://imgur.com/a/K5z1X2R
| Larrikin wrote:
| Maybe because you used a fake email. I'm signed up so I get
| their emails on my main account but my secondary email did
| not get a captcha.
| fecal_henge wrote:
| Makes me happy I used a 1 hour throw away email address to
| satisfy Rokus insane demand that I create an account just to
| watch TV.
| financetechbro wrote:
| How convenient for Roku to announce this breach soon after they
| forced an arbitration clause change in their ToS
| lolinder wrote:
| No one was going to sue them for failing to stop a credential
| stuffing attack. There are things they could have done to
| mitigate it, but between the low damages (someone got to stream
| some stuff on my account for a few days, maybe?) and the fact
| that sufficiently protecting against credential stuffing is
| vanishingly rare as an industry practice, there was never going
| to be a profitable class action lawsuit coming out of this
| "breach".
| skybrian wrote:
| If the stock goes down, maybe it's securities fraud? No
| arbitration agreement there.
| gessha wrote:
| If it is, we'll probably heard about it from Matt Levine's
| newsletter.
| faeriechangling wrote:
| I feel 23andMe's feet deserved to be held to the fire over a
| credential stuffing attack, not just because of the
| sensitivity of the data, but because of how they allowed
| accounts using insecure authentication methods to access data
| from other accounts.
|
| Roku though? The data stored in a Roku account is not totally
| insensitive, but it's not seriously sensitive. A lax security
| posture is justifiable. I would personally not care a bit if
| somebody infiltrated my Roku account and I don't believe most
| people would. The accounts mostly exist for Roku's purposes
| more than their customers.
|
| My only concern might be people using my account to authorise
| charges I did not approve to rent movies, but I don't see why
| anybody would actually want to do that, since it's a lot more
| cumbersome than piracy.
| kevin_thibedeau wrote:
| The Video Privacy Protection Act is one of the few data
| protection laws Americans get to enjoy. Legally, video
| history is more sensitive than things like location
| tracking data and electronic purchase records. Roku can't
| adopt a lax security posture in their line of business.
| nickburns wrote:
| one imagines thorough lawyers always recommend a belt-and-
| suspenders approach to even the slightest liability
| potential.
|
| and "low damages" (to/for whom?) don't typically inform the
| feasibility of a class action. it's generally presumable that
| individual damages are insufficient to justify most
| individual action--hence class formation/certification. but
| the 'profitability' of attorneys' fees awards certainly do.
| suck-my-spez wrote:
| Roku have turned into a really shitty company. Did they not just
| update their terms to prevent folk suing? Seems convenient...
| dboreham wrote:
| This doesn't sound like a "breach". Rather Roku failed to detect
| use of weak/compromised passwords by users by attackers who
| successfully authenticated. Obviously some user data could be
| leaked but presumably the attackers were selling the accounts for
| use by others to watch TV?
| faeriechangling wrote:
| It is a breach and credential stuffing attacks can be strongly
| mitigated with well known security measures. Such as using
| banned password lists, or measures to detect and block
| malicious attempts to access accounts by guessing passwords.
| throwaway984393 wrote:
| As a consumer I'm sick of seeing these data breaches. The market
| is not solving this problem.
|
| We need legislation to force businesses to do security audits of
| their products if they collect PII, and fix the bugs in a
| reasonable time frame. If they don't they need major penalties
| that are recurring and increase over time. This way a
| whistleblower can report their company if they fail to properly
| perform an audit or fail to fix the bugs.
|
| This may seem toothless, but avoiding shame and fines is a big
| motivator for companies in industries where data privacy
| regulation exists. If we can force them to start investing in
| security, that reduces the likelihood of security holes sticking
| around forever, leading to breach.
| blackeyeblitzar wrote:
| I have noticed an increasing trend of companies FORCING users
| into accepting aggressive terms of service by denying them the
| usage or ownership they're already entitled to. Roku did this
| famously, but so did Activision Blizzard AKA Microsoft (you can't
| access your games via Battle.net unless you accept terms), and so
| did TP Link (you can't access the admin interface for your router
| unless you accept terms). It's also getting worse in terms of
| ownership - Ubisoft recently shut down servers for a game called
| The Crew and then silently started deleting the game from
| players' libraries (https://www.rockpapershotgun.com/the-crew-
| has-started-disapp...). People think they did this deletion to
| prevent some kind of workaround to use the game files and play
| the game locally, but either way, it is a huge violation of the
| notion of ownership.
|
| This will keep continuing until there are consequences for
| executives and companies - meaning fines, including retroactive
| ones, and jail time. For now, we need to keep spreading awareness
| and then pressure lawmakers to do something about it. But techies
| can just stop paying these companies any more money too.
| spxneo wrote:
| side note: not your CDs, not your game.
| tooltower wrote:
| Even the CDs these days will often refuse to play without an
| internet connection.
| kevin_thibedeau wrote:
| I'd put that more on the player trying to connect to
| Gracenote for metadata, cover art, and invasive tracking.
| CDExtra is dead and no OS will autoplay them so there isn't
| a way for redbook audio discs to execute code.
| mikestew wrote:
| Umm, the topic is _game_ CDs, not music.
| TobTobXX wrote:
| I also like this phrase: If buying isn't owning, pirating
| isn't stealing.
| blackeyeblitzar wrote:
| I agree but there's no choice really. All the major game
| studios do these anti consumer things. And many of them are
| being bought by larger companies like Microsoft or Netease or
| whoever
| tedunangst wrote:
| I wonder how people will react when Netflix starts enforcing two
| factor auth for logins. You know, industry best practice to stop
| cred stuffing.
| goodklopp wrote:
| https://archive.ph/fY3JN
___________________________________________________________________
(page generated 2024-04-14 23:02 UTC)