81 comments

[ 3.5 ms ] story [ 170 ms ] thread
Arrr another one up for the pirates. Privacy it is!
If we trust what the company says, it seems like it's another one for using a password manager.
No need for passwords if there's no need for an account
i mainly use my roku to watch pirated tv shows. not sure how this is a win for pirates. (other than i don't really give a damn if somebody hacks my roku account)
[flagged]
Absolutely not.

You need to lay off the conspiracy theories.

Why would you risk an $8.6 billion dollar company for $10,000 of data?

How did you arrive at $10,000?
(comment deleted)
Why would they need to cover it up?
Never ascribe to malice what can easily be explained by carelessness.
A convenient excuse for the malicious.
I cancelled my account after the last ToS update, and my Roku is going into the next e-waste collection event. Fortunately, that password was never reused
For those who read even the first paragraph it's a credential stuffing attack. As in people used the same username/password combinations that were leaked or phished.

Use a password manager people.

The issue for smart devices, like TVs, is that you often have to type credentials in a tedious way without access to your password manager (other than transcribing it from your phone).
Most TV apps seem to use the ‘enter this code in a web browser’ auth model which gets around that limitation and allows you to use your browser’s password manager support.
Yep, or just "scan this QR code on your phone" and auth becomes the same as anything else on your phone.
It's becoming common enough, but I've set up enough smart TVs in the past 2 years to realize it's not universal.
The Hulu app on my ATV4k refuses to activate the keyboard input on my other devices like the other apps on my ATV do. I know this because it recently started asking me to re-login for whatever reason, and I have been trying to get my password manager password into the app without using the dumb remote. It just will not do it.

Long winded way of saying that other devices do it as well

Funnily enough, Roku now explicitly disallows this and will reject any paid app on their platform that tries to use it. (Although Netflix, Amazon, etc can do what they like as usual.)
The keyboard on phone is now on every smart TV platform, Roku included. There's no situation where I wouldn't want to go and fetch my phone instead of hunting down the on screen letters for my username and password.
Without setting up the TV partially and downloading an app? You can also add a bluetooth keyboard to most TVs as well.
What is the situation where the smart tv doesn't have the internet where you need to log in? My wifi password is specifically easy to input on any device.

If you're already buying a smart tv device and putting it on your network, downloading an app that gives you better control over it doesn't seem like a step too far. Especially with phone permissions being more finely grained than whatever the box itself is doing.

For the typical HN user, but my original point was that the users likely to get breached via credential stuffing are going to take as many shortcuts as possible.
Not to the Roku. And many casual watchers are allergic to the thought of using a keyboard with the TV.
the use passphrases that you can easily read from your password manager and type it.
You can create a password that consists entirely of lowercase letters that is easy to enter on such a keyboard and also secure. The point is to not reuse it on your other accounts.
> that is easy

Anyone who has supported digital devices for friends and family (especially elderly ones) knows it is in fact not easy.

These accounts exist for the commercial benefit of companies. They could tie authorization to the hardware if they wanted to, like it used to be before the internet, but they don't. The idea that consumers need to do data and security management for the commercial benefit of corporations has gotten absurd. We're doing their IT for them, and still getting hacked even when we do it right. Remember Equifax? Pepperidge farms remembers Equifax.

all lower case won't pass many password requirements.

That said, it's possible to come up with an easy to remember scheme and is unique (like {ServiceName}@{houseNumber} or the like).

My mom did this with the name of the website and her birthday. Amazingly, hackers figured out her cypher.
It's definitely not the most secure system, and I'd never use it for anything other than streaming entertainment, since once there's a breach at one place, anyone looking at the list can guess other sites easily.
That's not too amazing if we're cracking a leaked password database.

In that case, we generate passwords and try them against every (hash, salt) pair in the database. We can usually crack 60 percent of a database this way, and more if we use AI driven cracking (PassGAN, 2017).

It makes sense to try variants of "netflix{birthday}" early on, since that uncovers a significant portion of the database. Your mom would have just been unlucky to be part of that low-hanging cohort.

It would actually be kind of interesting to have a password manager that generated passwords that are “nice” for entering with a tv remote. It would definitely reduce the complexity of the passwords, but then you can just go longer. I’d probably want rules like

“Characters should be adjacent on that particular gridded qwerty keyboard that TVs tend to use or two-off in a single directions. Double characters are also ok. Long strings of upper or lower case letters.”

I guess the number of possible passwords is something like 26*(9^(n-1)), ignoring special characters and (rare) case changes. Also ignoring the edges of the keyboard, which probably really messes my path up because it isn’t very tall.

You'd need 15+ lowercase characters to be close to secure. How many are going to do that?
I hate how Chromecasting is being phased out by Google over GoogleTV (or whatever they call it now). Just playing from your mobile phone alleviated this issue perfectly. Now Netflix for instance hijacks your cast command to force a login on Samsung TVs
Google will never come up with a branding and stick to it. They could’ve built a better walled garden than Apple but chose not to because it doesn’t align with their financials currently and their org is basically 100 startups in a trench coat all funded by ads.
Chromecast isn't being phased out, not sure what you mean? Your issue with Netflix is how the Netflix app works, it wants a second layer of authentication, and the nature of the framework (it's not just streaming video from a device, it's basically an app that gets beamed over so the device can do the streaming itself) is that they can put up whatever they want. Do the same thing with Youtube and it's seamless. Try it with AppleTV and there's no support at all (beyond trickery like casting a browser window). Big Tech can't agree on this stuff and never will as long as there's a garden wall to build.
I just meant that Google is focusing more on their AndroidTV/GoogleTV way of doing things (apps on the TV) than continuing working towards casting from mobile devices onto the TV.

This lack of focus on Casting is certainly causing it feel like it is becoming obsolete. For instance many Android apps now have bugs when it comes to casting (stuttering video or the cast button only showing up when restarting the app).

I received the email saying i was included. I use a PW manager.
To generate passwords or just store them?
Both. I use bitwarden with yubikey.
Don't like all eggs in one basket.
some baskets are more secure (e.g. an encrypted database) than others (e.g. your head).
My head is more secure than any database, but it is lossy.
head lacks sufficient memorization capacity lending to proneness to credential reuse—which, in this specific context, makes it inherently less secure. but i would agree head is safer than any other basket, definitely.
I have 2 Roku TVs, and I suppose I should be deeply concerned, but at this point, I'm just like "meh". By this time my info has been in enough data breaches of supposedly more secure companies like Adobe and others that I feel like "defensive Internetting" is the only real answer (password managers, single-use credit card numbers when you can, etc)
my roku has had a forgotten password for years. does this mean there might be a record of it somewhere so i can get it?
Makes me happy I used a 1 hour throw away email address to satisfy Rokus insane demand that I create an account just to watch TV.
[flagged]
What a terrible attitude. Wanting nice things, even small luxuries, that suit your need is entitlement? This is dark ages thinking.
[flagged]
To me it sounds like you're already convinced that the earth is flat and just taking out your bad day at people online.
I have a Roku branded TV. It was a budget option to replace my very old set. When I turned it on would not let me watch anything without creating a Roku account. I am only gathering from your comment that people actually buy a Roku as a device or something?

Not entirely sure where buying a cheap tv and avoiding data harvesting equates to entitlement. Seems like keyboard warrior passive agression is quite liberating for you though.

How convenient for Roku to announce this breach soon after they forced an arbitration clause change in their ToS
No one was going to sue them for failing to stop a credential stuffing attack. There are things they could have done to mitigate it, but between the low damages (someone got to stream some stuff on my account for a few days, maybe?) and the fact that sufficiently protecting against credential stuffing is vanishingly rare as an industry practice, there was never going to be a profitable class action lawsuit coming out of this "breach".
If the stock goes down, maybe it’s securities fraud? No arbitration agreement there.
If it is, we’ll probably heard about it from Matt Levine’s newsletter.
I feel 23andMe's feet deserved to be held to the fire over a credential stuffing attack, not just because of the sensitivity of the data, but because of how they allowed accounts using insecure authentication methods to access data from other accounts.

Roku though? The data stored in a Roku account is not totally insensitive, but it's not seriously sensitive. A lax security posture is justifiable. I would personally not care a bit if somebody infiltrated my Roku account and I don't believe most people would. The accounts mostly exist for Roku's purposes more than their customers.

My only concern might be people using my account to authorise charges I did not approve to rent movies, but I don't see why anybody would actually want to do that, since it's a lot more cumbersome than piracy.

The Video Privacy Protection Act is one of the few data protection laws Americans get to enjoy. Legally, video history is more sensitive than things like location tracking data and electronic purchase records. Roku can't adopt a lax security posture in their line of business.
one imagines thorough lawyers always recommend a belt-and-suspenders approach to even the slightest liability potential.

and "low damages" (to/for whom?) don't typically inform the feasibility of a class action. it's generally presumable that individual damages are insufficient to justify most individual action—hence class formation/certification. but the 'profitability' of attorneys' fees awards certainly do.

(comment deleted)
Roku have turned into a really shitty company. Did they not just update their terms to prevent folk suing? Seems convenient…
This doesn't sound like a "breach". Rather Roku failed to detect use of weak/compromised passwords by users by attackers who successfully authenticated. Obviously some user data could be leaked but presumably the attackers were selling the accounts for use by others to watch TV?
It is a breach and credential stuffing attacks can be strongly mitigated with well known security measures. Such as using banned password lists, or measures to detect and block malicious attempts to access accounts by guessing passwords.
As a consumer I'm sick of seeing these data breaches. The market is not solving this problem.

We need legislation to force businesses to do security audits of their products if they collect PII, and fix the bugs in a reasonable time frame. If they don't they need major penalties that are recurring and increase over time. This way a whistleblower can report their company if they fail to properly perform an audit or fail to fix the bugs.

This may seem toothless, but avoiding shame and fines is a big motivator for companies in industries where data privacy regulation exists. If we can force them to start investing in security, that reduces the likelihood of security holes sticking around forever, leading to breach.

(comment deleted)
I have noticed an increasing trend of companies FORCING users into accepting aggressive terms of service by denying them the usage or ownership they're already entitled to. Roku did this famously, but so did Activision Blizzard AKA Microsoft (you can't access your games via Battle.net unless you accept terms), and so did TP Link (you can't access the admin interface for your router unless you accept terms). It's also getting worse in terms of ownership - Ubisoft recently shut down servers for a game called The Crew and then silently started deleting the game from players' libraries (https://www.rockpapershotgun.com/the-crew-has-started-disapp...). People think they did this deletion to prevent some kind of workaround to use the game files and play the game locally, but either way, it is a huge violation of the notion of ownership.

This will keep continuing until there are consequences for executives and companies - meaning fines, including retroactive ones, and jail time. For now, we need to keep spreading awareness and then pressure lawmakers to do something about it. But techies can just stop paying these companies any more money too.

side note: not your CDs, not your game.
Even the CDs these days will often refuse to play without an internet connection.
I'd put that more on the player trying to connect to Gracenote for metadata, cover art, and invasive tracking. CDExtra is dead and no OS will autoplay them so there isn't a way for redbook audio discs to execute code.
Umm, the topic is game CDs, not music.
I also like this phrase: If buying isn't owning, pirating isn't stealing.
I agree but there’s no choice really. All the major game studios do these anti consumer things. And many of them are being bought by larger companies like Microsoft or Netease or whoever
I wonder how people will react when Netflix starts enforcing two factor auth for logins. You know, industry best practice to stop cred stuffing.
I've seen this article floating around over the last few weeks. It is strange to me that a company would put out a "data breach" notice due to detected credential stuffing attacks.

From a reputational perspective I see people reacting thinking their data has been stolen, whilst not realising that this was due to credential stuffing.

If I was Roku I wouldn't have said the words "Data Breach" at all, I would just email customers recommending them that they change their password.