Roku’s Credential Stuffing Hack
Protecting yourself from data breaches is easier than you think
Welcome to another issue of Secrets of Privacy where we discuss personal privacy related topics and provide practical tips to immediately boost your personal privacy. This is a free post so you can forward it directly to your friends and family that need it the most.
Quick disclaimer - this post is not intended for our regular readers.
At least not directly.
It’s more for your friends and family that have low privacy IQs. The ones that use “password123” on every website and don’t know about 2FA.
By now many of you have heard of Roku’s latest data breach. Here’s the quick background:
576,000 accounts were compromised.
Early reports are the Bad Actors accessed the accounts by using the “credential stuffing” technique. Which is shorthand for saying the Bad Actors used stolen website login credentials found (purchased?) elsewhere on the web and then used them to access Roku accounts.
Credential Stuffing works because people use the same username and password on multiple websites.
The Bad Actors were able to make purchases via the stored payment info in the compromised Roku accounts.
This situation may sound familiar. Bad Actors used the same tactic against 23andme late last year. Though in that case the Bad Actors were able to access the genetic data of users, which is a bit more sensitive than the information Roku keeps on users.
Credential stuffing is also how we believe our friend “Tim” had his Facebook page hijacked to promote a crypto scam. This went on for months before Tim finally regained access to his account. (See here for that unbelievable story)
How to Avoid Credential Stuffing Attacks
Insulating yourself from credential stuffing is fairly simple. It takes minimal effort, yet most don’t do it. Here’s all it takes:
Use unique passwords for every website. Not just variations, like Password1234 vs. password1234. But completely unique, complicated passwords. This sounds daunting, but only if you’re not up to date on the latest tech.
Use unique usernames where you can. This one is less customary, but it’s becoming more important and easier. Any extra friction you can add will make you a harder target.
Start using disposable email addresses. If a bad guy gets a hold of your email address from the dark web or by hacking a customer database, all you do is nuke that email address and start over. The fallout to you is near 0. Handling hundreds of email addresses may sound overwhelming, but again, only if you’re not up to date on the latest tech.
Activate 2FA. Focus on accounts that contain payment info or sensitive information. Social media accounts are a given since you can experience severe reputational harm if a social media account is hijacked. Like our friend Tim.
Opt for an authenticator app over SMS codes if you can. Authenticator apps are less susceptible to hijacking by a Bad Actor. We use the Auth app, offered by Ente Technologies. It’s open source software, which is usually the way to go.
Here are past SOP posts on the above topics:
There are more robust steps you can take, such as using passkeys (if available) or even a physical USB/Bluetooth security key. By all means adopt those tactics if you’re willing and able. But those are not needed to make yourself a harder target. Don’t let the perfect be the enemy of the solid.
Wrap Up
Contrary to what the general public believes, there are things you can do right now to inoculate yourself from data breaches. We listed just a few items above. There are many more that we’ve touched on in the past few months (search our archive here), and more to come in the near future.
We all know a friend or family member that could benefit from this post. Feel free to forward it to them directly from your inbox or use the share button below.
Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy attorney with 15+ years of working for, with and against Big Tech and Big Data.
Check out our Personal Privacy Stack here.
Proton is running a limited time promotion right now on their core offerings like Proton VPN and Proton Mail. Up to 50% off select packages for the Secrets of Privacy community.
Start removing your personal information from Google, data broker and people search sites today. Set up an account, pay a monthly/annual fee and forget about it - super easy, and an enormous time saver. Get started right away with DeleteMe here or PrivacyBee here.
We’re live on LinkedIn now! Follow us here.
If you’re reading this but haven’t yet signed up, join the growing Secrets of Privacy community for free and get our newsletter delivered to your inbox by subscribing here 👇