If you use your pet’s name as the password for all your online accounts: stop it, stop it right now.
The latest data breach involving Roku should be a reminder to you to always use unique passwords for each of your accounts — even for services like Roku that may seem less important than your online banking app, for example.
Over 15,000 Roku customer accounts were breached, according to BleepingComputer. A Roku spokesperson would not confirm to Business Insider exactly how many accounts were affected.
“Roku is committed to maintaining our customers’ privacy and security, and we take this incident very seriously,” the company said in a statement shared with Business Insider, adding that Roku immediately secured customers’ accounts and notified them.
The company said it’s likely the hackers got Roku customers’ username and password combinations for other sites not connected to Roku, and then those same credentials were used to access the person’s Roku account.
The company added that once hackers gained access to the Roku accounts, they then changed the customer’s login information, locking them out of their accounts. In some cases, the hackers tried to purchase streaming subscriptions from the person’s account.
This type of hack is called a credential stuffing attack, and it’s not Roku’s fault. Rather, the hack is partly made possible by customers using the same passwords for multiple accounts they own.
Credential stuffing is when hackers use the same login credentials of one of your online accounts to log in to another. They typically get these username and password combinations from phishing schemes or data breaches. Sometimes, they’ll even sell your login credentials to other hackers, who can then steal your information or use it to make purchases.
BleepingComputer reported that in the case of the Roku attack, the hackers were selling Roku accounts for 50 cents each.
While this sounds scary, the good news is there are a few things you can do to protect yourself from becoming a victim of this type of attack.
The first thing you can do is always stay vigilant against phishing scams.
For example, never click a link you receive over email or text, even if it seems to be coming from a company you trust. Phishers will often message you from an email address that looks almost identical to the real company’s address, and get you to log in to a fake site that looks identical to the real site. Always go straight to the company’s site using your search engine.
And perhaps most importantly, always use unique and hard-to-guess passwords for all your accounts.
You don’t even have to memorize all of them — using a password manager is the best way to keep your passwords safe, and many can generate safe, unique passwords for each of your accounts. There are some services you can pay for, like LastPass, and some that are free, like Bitwarden or Apple’s iCloud KeyChain.