Roku makes 2FA mandatory for all after nearly 600K accounts pwned Streaming giant Roku is making 2FA mandatory after attackers accessed around 591,000 customer accounts earlier this year. That's as specific as Roku went in terms of a timeline, but it said that the compromises occurred over two separate incidents. The first affected 15,363 accounts, which prompted the company to start …
They didn't mean denial of the site's service, but of the account's service. Let's say that I manage to get your email address used to sign in to these forums. I deliberately enter it on the login page with three random passwords. Now you can't log in for the next half an hour. If I wait and do it again, then you're locked out again.
Fine, so to solve that problem, we do it per IP address. Only my IP is blocked for half an hour. So if I'm password spraying, I get a lot of IPs and try three from each of the nodes, then cycle onto another one. If I rent a rather small thousand-node network, I can test an average of 100 passwords a minute. The spraying attacks most likely to work aren't trying to brute force every set, but using a set of common passwords or ones they already know you use.
I saw a cartoon that I can no longer find...
Imagine an office with 2people standing looking over a programmers shoulder. The code they are looking at is a function called something like stopBruteForceAttacks...
The code is
if (correct password && first attempt) then
display message "Incorrect Password - please try again"
One of the 2 exclaims "you cunning bastard!"
"Hmmm... If only someone could develop a sign in that makes you wait half an hour if you put in the wrong password 3 times in a row. Hmmm...."
That helps with spraying, but not so much with credential stuffing. If people reuse passwords and they get found, it's one try per account. Your rule has to count attempts on any account fast enough to realistically block IPs in a worldwide distributed system, and they will IP hop if you do it. Taking some steps to detect it is useful, but it will never be as effective as a user not reusing passwords, or at least not on accounts with sensitive things like active payment methods.
I didn't get notified, and see no indication that I was affected. But OTOH, I set up my Roku account MANY years ago when I actually used passwords that can be remembered and typed. Now I use a password manager and this nudged me into updating my Roku password. Now it's 32 characters and not even I could log in without my password manager.
Having said that, sending an email with a code to log in and calling it 2FA is bullshit. There are plenty of free, trusted authenticator apps available. Quit using email and SMS and calling it 'authentication' if you want anyone to take you seriously.
The time lag is also an issue. There is a widespread belief that SMS and even email are instantaneous message delivery services. I am seeing more "this code is only valid for [some arbitrary time]" and the message carrying the code takes longer than that to arrive. On a recent failed login sequence involving late code delivery, I examined the email headers only to find out the earliest timestamp was after the code had expired.
"Quit using email and SMS and calling it 'authentication' if you want anyone to take you seriously."
Indeed I think the same every time my god damn bank does their security theater on logins. Listing only those two choices, for my protection don't you know, yeah right both sent in plain text for interception and use.
This is why they tried to update their terms of service for US users (maybe in other countries too) to force users into accepting forced arbitration... and there was no way to opt out, only an agree button... and if you didn't press agree, you couldn't even use your device as the popup stopped all functionality until you agreed.
Louis Rossman has done a couple of vids on the subject.
It dates back to the ancient old days of app stores and buying apps, before the apps themselves had a way to charge you directly. You could (maybe still can) buy and pay for apps / "channels" using the credit card that you stored in Roku, likely when you originally set up your account and then forgot about.
Remember when you'd go to the app store and buy an app for $1.99 and that was it? And Apple or Google got their cut? Now you download the app for free and sign into your Netflix or Amazon.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
