Credential Stuffing Attack Comes to Streaming

Streaming company, Roku, recently disclosed that they had suffered a breach that compromised 15,363 accounts. Fortunately, the breach did not provide thieves with credit card information; however, if credit card information was on file in the accounts, the thieves were able to purchase subscription services such as Netflix, Paramount Plus, Hulu, and many other streaming subscriptions offered thru Roku.

According to Roku, the credentials were most likely stolen in a data breach of a third-party service. When credentials are stolen during a breach, hackers use those credentials on other sites, a practice known as credential stuffing. In this case, once the hackers were able to access an account on Roku, they changed the password and took over the account. On top of buying streaming services, the login credentials for accounts that contained credit card information were also sold for about $.50 cents an account, along with information on how to use the information to make other fraudulent purchases.

Credential stuffing attacks can be neutralized by requiring that multi-factor authentication, (MFA), is in place, one of the newer requirements in PCI DSS version 4, which becomes mandatory this weekend. With MFA in place, passwords alone will not allow access to an account, rendering the data useless.

Source: