Sure wish CISA and SEC would effectively monitor and fine companies that suffer data breaches. After all, we're not being paid for that data, yet we remain the victim of their actions.
Reporting requirements exist [1], civil and criminal penalties will require Congressional action.
Definitely gross that companies are using forced arbitration to avoid liability for their breaches (first 23andme, now Roku). Call your congressperson. Also, if you are impacted/have standing, consider an FTC complaint [2] and contacting your state’s attorney general.
I'm sure that after my phone call, my congressperson will drop all the things he is being paid thousands of lobbying dollars to do on behalf of his donors to get right on this. Sorry for the snark, but normal people are powerless to do anything about these shenanigans.
Medicare drug negotiations and $8 credit card late fee payments are my rebuttal. You aren’t supposed to fix it; you’re bringing it to the attention of leverage who can. Phone call is free besides your time.
Super cynical. Those people hold outsized power, but they are not invincible by any stretch of the imagination. We hold the power in that we elect the public officials. They care about what we think also.
I don't know what you mean by "fact", but your vote certainly holds less proportional power to influence a politician than that of 1/(population of the us). Politicians straight-up don't care about your opinion unless you can show up as a meaningful horde, and judging by the reaction to the Israeli invasion of Palestine that doesn't hold much water either.
I guess I read your comment as contradicting itself by the phrase "the power" rather than "the illusion of power", especially since the american public is so easily distracted by petty squabbling, whereas capital is emphatically not easily distracted but extremely focused on what it wants.
Anyway, I don't mean to start an argument over the power of voting, illusory or no. We all have opinions about the value of voting that we hold rather tightly given so much emphasis is placed on it as the center of the political power we do hold.
- while a total lockdown on exposure control of your personal data is basically impossible, proactive choices do limit it shouldn't be dismissed out of hand
- a working knowledge and practice of bushcraft can be a useful skill, a fulfilling hobby, and can be practiced without feeding money to whatever the flavor of the week is
- conversely, if you do get into that, be prepared for profiteers in that field to push into your attention. Going all bushcrafty is no protection on its own.
The article cites these two sources[1][2] which say
> Unauthorized individuals using account credentials believed to have been obtained from third-party source(s) were used to access individual customer accounts
> potentially affecting 15,363 individuals in the United States, including 76 in the state of Maine.
Odd that Roku singles out the 0.5% of users affected within the state of Maine. Must be related to some sort of Maine data breach law? I didn't dig too deeply, but not seeing anything explicitly called out in their statutes [0].
This just looks more like Roku had identified significant amounts of credential stuffing across customer accounts. As opposed to someone breaking into the back end of Roku and leaking customer account details.
It could also be targeted credential stuffing given recent events. An interesting tactic to create problems for a company.
I'm not saying Roku is a good company, but this isn't really a data breach but poor credential management by customers.
Roku is also taking heat for using forced arbitration at all, which some argue can have one-sided benefits. In a similar move in December, for example, 23andMe said users had 30 days to opt out of its new dispute resolution terms, which included mass arbitration rules (the genetics firm let customers opt out via email, though). The changes came after 23andMe user data was stolen in a cyberattack. Forced arbitration clauses are frequently used by large companies to avoid being sued by fed-up customers.
If enough people do it, forced arbitration can actually end up being expensive for the company. iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.
I wonder how Roku would react if every Roku user filed an arbitration case since your data was at risk.
> iIRC, there was a case where the company itself tried to get out of the forced arbitration and go to court since it was a pain to try to handle a massive number of individual arbitration cases.
> Judge Breyer suggested at the Dec. 17 hearing on the proposed class action settlement that Intuit has only itself to blame for its mass arbitration predicament. “You knew what the rules of arbitration were. You knew all these things. And you elected - you elected to go to arbitration. And you fought fairly, vigorously, and it turns out correctly, that you had this right to insist on arbitration,” the judge told Intuit counsel Rodger Cole of Fenwick & West. “Now you come in, when you see how it is unfolding, and say: ‘Not so fast … Now we want to turn and do something else.’”
For those who don't know, just a week or so ago Roku amended the arbitration clause of their terms of service and soft-bricked every Roku in the US until you Agreed to the new terms. This even extended to TVs from other brands with Roku software, making the TV non-functional even as a dumb display since the Roku software controls input selection AND would ignore any HDMI-CEC commands. I guess we know why now.
There is a 30-day window after agreeing where you can mail them a letter opting out of the new arbitration agreement.
Can anyone who understands legal stuff explain this? As a layman Roku’s popup seemed wildly insufficient verification that the account owners were the ones accepting these TOS.
Not an expert but have worked on similar stuff and there’s no specific controls that I know of around specifically verifying that the account owner sees these things, just that they’re made available and the account is notified.
The whole point of having a quick, online opt-in and an elaborate "mail us a notarized letter" opt-out is to make it very easy to opt in. Why would they want to make it harder? They're already on dodgy legal ground, and the "enter your PIN" wouldn't make it much firmer.
You're thinking like an engineer given the problem of "get people's consent" instead of like a businessman with the goal of "altering the deal."
Someone else pointed out that they can’t even prove it wasnt a dog who agreed by chewing on the remote. Yet somehow these clicks are still considered to legally bind the owner.
These lawyers who come up with these schemes never seem to consider capacity planning.
Forced arbitration? Much better than an expensive lawsuit.
Except when hundreds to thousands of people want arbitration and since the company wanted arbitration, we have to foot the bill... Yikes.
Hmmm. Fix the arbitration scaling problem by changing to forced mass arbitration. But the users will have to send in a letter to opt out of the new agreement.
Roku has 80 million+ accounts.
What happens when even one percent of those account opt out? Put on your "grudgingly-pay-the-outrageous-fine-with-pennies" hat and I'm sure you can come up with ways to increase the difficulty level of receiving many letters opting out of this new agreement.
My Roku-enabled TV used to bootloop whenever I blocked it from fetching screensaver ads. Support was happy to help. First step: (re)connect to the internet. Second step: disable any network ad blocking. Hmmmmm.
People rolled their eyes when I suggested that this was intentional, but these recent revelations strongly suggest that Roku is very comfortable exploiting the hell out of dark patterns.
If we don't enact stronger consumer protections, everything will work this way.
For years, it has been the case that, when booting up the Roku, the highlighted item would often be a link that would install an app. My kids have accidentally installed so many things. When I tried to remove YouTube, it suggested it below the installed apps, and the kids re-installed it, without having a clue what they were doing and were confused as to why it now showed ads (logged out), when before it didn't (logged in with Premium).
In the "old days," the junkbuster proxy used to return a 128x32(?) blank gif in lieu of an actual block because the page layout would :fu: if the ad wasn't in place and correctly sized. I could easily imagine that might help your situation, too
Don't misunderstand me: it's 100% atrocious that any device bootloops if some ad network 403s, but on the spectrum of "spit into one hand..." and nginx in the other ...
Haha, yes, that would be something to try, but in the meantime I upgraded monitors and the new one does not have Roku or any of Roku's problems. Yet. If Roku gets away with it this will be everywhere.
I hope some regulators ask for proof that the breach was “after” and not “the cause of”. It would not shock me to learn that this was the same playbook 23andme used.
I wonder if the obviously coordinated nature of this change will come back to bite them in the ass. It seems hard to believe that it was a good-faith change on their part.
Also, the breach happened while people were receiving services under the old TOS, not the new one. I wonder if that could impact things?
These are most likely people with easy guessed passwords like “password”. The notification suggests the attackers purchased these email/password combos in bulk. That’s likely all this is.
> As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.
This is your regular reminder to audit your password manager for accounts you no longer need, and then go and have those accounts deleted.
Of course you can't guarantee that your data will actually be purged, or that it hasn't already been compromised from these places - but less exposure is better than more exposure, right?
I think theres actually a huge industry around buying and using the information stolen in these breaches? Identity theft is a pretty big problem no? This seems like a really weird take.
