back to article Roku makes 2FA mandatory for all after nearly 600K accounts pwned

Streaming giant Roku is making 2FA mandatory after attackers accessed around 591,000 customer accounts earlier this year. That's as specific as Roku went in terms of a timeline, but it said that the compromises occurred over two separate incidents. The first affected 15,363 accounts, which prompted the company to start …

  1. Anonymous Coward
    Anonymous Coward

    Credential stuffing and password spraying

    Hmmm... If only someone could develop a sign in that makes you wait half an hour if you put in the wrong password 3 times in a row. Hmmm....

    1. talk_is_cheap

      Re: Credential stuffing and password spraying

      So allowing a mass denial of service attack instead.

      1. Anonymous Coward
        Anonymous Coward

        Re: Credential stuffing and password spraying

        Hmmm... If only someone could develop a way to block connections from IP addresses blasting requests causing DOSs. Hmmm....

        1. Sora2566 Bronze badge

          Re: Credential stuffing and password spraying

          Who wants to be the one to tell AC about botnets?

          1. Anonymous Coward
            Anonymous Coward

            Re: Credential stuffing and password spraying

            Who wants to be the one to tell AC about MS Windows?

          2. Kevin McMurtrie Silver badge

            Re: Credential stuffing and password spraying

            It's very good to block botnets too. A lot of them come from cheap hosting providers where it's guaranteed that the source isn't a legitimate login.

        2. doublelayer Silver badge

          Re: Credential stuffing and password spraying

          They didn't mean denial of the site's service, but of the account's service. Let's say that I manage to get your email address used to sign in to these forums. I deliberately enter it on the login page with three random passwords. Now you can't log in for the next half an hour. If I wait and do it again, then you're locked out again.

          Fine, so to solve that problem, we do it per IP address. Only my IP is blocked for half an hour. So if I'm password spraying, I get a lot of IPs and try three from each of the nodes, then cycle onto another one. If I rent a rather small thousand-node network, I can test an average of 100 passwords a minute. The spraying attacks most likely to work aren't trying to brute force every set, but using a set of common passwords or ones they already know you use.

    2. Diogenes

      Re: Credential stuffing and password spraying

      I saw a cartoon that I can no longer find...

      Imagine an office with 2people standing looking over a programmers shoulder. The code they are looking at is a function called something like stopBruteForceAttacks...

      The code is

      if (correct password && first attempt) then

      display message "Incorrect Password - please try again"

      One of the 2 exclaims "you cunning bastard!"

    3. doublelayer Silver badge

      Re: Credential stuffing and password spraying

      "Hmmm... If only someone could develop a sign in that makes you wait half an hour if you put in the wrong password 3 times in a row. Hmmm...."

      That helps with spraying, but not so much with credential stuffing. If people reuse passwords and they get found, it's one try per account. Your rule has to count attempts on any account fast enough to realistically block IPs in a worldwide distributed system, and they will IP hop if you do it. Taking some steps to detect it is useful, but it will never be as effective as a user not reusing passwords, or at least not on accounts with sensitive things like active payment methods.

  2. HereIAmJH

    Not all bad

    I didn't get notified, and see no indication that I was affected. But OTOH, I set up my Roku account MANY years ago when I actually used passwords that can be remembered and typed. Now I use a password manager and this nudged me into updating my Roku password. Now it's 32 characters and not even I could log in without my password manager.

    Having said that, sending an email with a code to log in and calling it 2FA is bullshit. There are plenty of free, trusted authenticator apps available. Quit using email and SMS and calling it 'authentication' if you want anyone to take you seriously.

    1. hayzoos

      Re: Not all bad

      The time lag is also an issue. There is a widespread belief that SMS and even email are instantaneous message delivery services. I am seeing more "this code is only valid for [some arbitrary time]" and the message carrying the code takes longer than that to arrive. On a recent failed login sequence involving late code delivery, I examined the email headers only to find out the earliest timestamp was after the code had expired.

    2. RedGreen925 Bronze badge

      Re: Not all bad

      "Quit using email and SMS and calling it 'authentication' if you want anyone to take you seriously."

      Indeed I think the same every time my god damn bank does their security theater on logins. Listing only those two choices, for my protection don't you know, yeah right both sent in plain text for interception and use.

  3. The Dogs Meevonks Silver badge

    This is why they tried to update their terms of service for US users (maybe in other countries too) to force users into accepting forced arbitration... and there was no way to opt out, only an agree button... and if you didn't press agree, you couldn't even use your device as the popup stopped all functionality until you agreed.

    Louis Rossman has done a couple of vids on the subject.

  4. Alumoi Silver badge

    ...using the payment details stored in the user accounts...

    Why, FFS? Why do they store that information?

    Oh, I know, so they can bill the sucker in case he forgets to cancel the account.. Erm, sorry, that's a typo, I mean 'for your convenience'. Right?

    1. Timo

      Re: ...using the payment details stored in the user accounts...

      It dates back to the ancient old days of app stores and buying apps, before the apps themselves had a way to charge you directly. You could (maybe still can) buy and pay for apps / "channels" using the credit card that you stored in Roku, likely when you originally set up your account and then forgot about.

      Remember when you'd go to the app store and buy an app for $1.99 and that was it? And Apple or Google got their cut? Now you download the app for free and sign into your Netflix or Amazon.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like