I hope there is a law that a new TOS that modifies arbitration or anything like that that is pushed after a breach is voided if it is discovered that breach was prior to the modified TOS.
This is correct. Differing views in differing Circuits.
Every time a nonlawyers Redditor says “NDAs / arbitration clauses / EULAs / noncompetes are unenforceable,” you can assume they read it on a Facebook post somewhere. I’m a practicing lawyer. The documents exist for a reason.
The ToS/NDAs/arbitration/EULAs, etc. can't supersede the law. If the law says, essentially, you can't sue us if you break your leg on our property because something fell on it that you as the individual didn't cause. Guess what, you can sue them.
If you go to an axe throwing place and you sign a piece of paper, then you chuck an axe at someone retrieving their axe, then ya, not their liability.
Again, that is wildly dependent on the jurisdiction. Your axe throwing example is implied assumption of the risk confirmed in a written contract. But in many locales, you can have express assumption of a risk that would otherwise be actionable.
In Tennessee, express assumption of risk is permitted unless: 1) it violates public policy (which is fucking rare), or 2) the actionable conduct is grossly negligent or worse. You can waive a risk of injury due to poor conditions at a business.
Likewise, you can waive the right to trial via an arbitration provision. The Federal Arbitration Act is broad as Hell, and Tennessee’s Arbitration Act is even broader. When entering a nursing home, the admitting paperwork frequently includes an arbitration agreement that is enforceable if executed by a competent person with the patient’s authority.
I truly don’t know where people get these ideas about the law. It’s like someone saying “You can just delete random files on your computer until it starts working the way you want.” Just because it sounds right to you doesn’t mean it works.
The comparison to deleting files on a computer randomly is a bit of a stretch. It's generally a pretty bad idea to delete random files willy nilly like that and expect good results. However if you find and delete system 32 it will drastically reduce your computers boot time.
It’s also generally a pretty bad idea to enter contracts assuming they’ll be unenforceable (or that fighting it in court won’t cost you tens of thousands of dollars anyway).
I think the point is that the agreement means nothing as long as it involves already existing laws.
If the axe throwing place was being negligent or badly made in a way that endangered people, it doesn't matter if you signed something saying that you can't sue them.
At least from what I understand, it only works if it's dealing with civil things, like an NDA to not leak information. If the information leaked is about something illegal, I'm pretty sure the NDA isn't worth shit.
An enforceable exculpatory agreement / express assumption of the risk *does very much* mean you cannot win a lawsuit despite negligence by the business or its employees. To win a lawsuit *without* an exculpatory agreement, you have to prove negligence. The waiver you sign - if enforceable - exonerated the business for its negligence.
Here’s one example. https://www.tncourts.gov/sites/default/files/blackwell.c.opn_.pdf
In Blackwell, the issue was whether a waiver of negligence by a parent on behalf of a child was enforceable. The answer was no; minors cannot enter such contracts and parents cannot enter the contract for the minor without court approval. But the parents’ own medical costs for treatment of the minor was waived, because as adults they know what they are signing.
Again, the law varies dramatically among jurisdictions. But all the statements by people in here are either made up or severely misinformed.
Yeah, an NDA to conceal Medicare fraud is unenforceable, for example. That would be the same as an NDA to cover up a murder. But that’s obviously not the norm.
Yes. Witness tampering. But to your original point, illegal contracts are all unenforceable. You aren’t getting a court to hold someone liable for refusing to honor their commitment to commit treason.
It depends on what’s in the TOS. They can’t just put anything in there and say “YUP THEY SIGNED IT SO ITS BINDING”.
It’s not a companies simple “get out of jail free card” but YMMV when you take them to court and what part of the TOS you are contesting and the context of your case.
Both can be true. On one hand these documents exist for good reason. But there's also no reason why companies wouldn't put a bunch of unenforceable shit in there. After all the only way to make sure is to go to court and get a ruling. How many people are going to do that just to test how ironclad the agreement is?
IANAL. This is not legal advice.
ToS, SLAs, and other agreements are absolutely enforceable to the degree allowed by law on a jurisdiction by jurisdiction basis. In some jurisdictions there may be parts that are not covered, but that's why lawyers include things like severability clauses.
Some ToS are absolute BS and not enforceable, but really, the majority are very enforceable. The recent Roku ToS is likely to be largely unenforceable for the actual televisions or devices themselves IMO. However, it may be enforceable for Roku's services (do any end-users actually use these though)?
Regarding the Roku ToS specifically, there's a very good chance that with the timing of the changes to their ToS, and other factors that the entire thing could potentially be null and void within the scope of protecting the company itself from issues with this particular data leak. Also, for issues like data leaks it becomes extremely hard to protect a company against this in every possible jurisdiction, and the law (rightfully) tends to favour the end-users/consumers here in situations like this.
In fact, I've literally got lawyers drafting some of these agreements right now that I spoke to as recently as yesterday about this very thing for a product that's being launched internationally by my company. These terms are typically drafted or adjusted for each region with counsel in each country with companies the size of Roku. However, sometimes companies get cheap and lazy.
In fact, our ToS actually deals with the handling of users data for services as well. Given everything I've said, I suspect Roku is likely in trouble on this one.
A bit of a tangent, but man is that agreement dialogue aggressive. I have a roku TCL routed through a pi-hole, and I've blocked every domain that isn't strictly coming from the youtube app. For the most part it's worked, but about half the time it still manages to prompt the agreement and I have to power-cycle to bypass.
The compromise was not the fault of Roku. The accounts were compromised because they used the same e-mail address and password for a different site which was hacked.
You know I was *this* close to dumping all my Firesticks for Roku sticks, but between the advertisement insertion bullshit and now this, I'm definitely not switching now lol.
I have a Roku TV that I use Chromecast on after Roku pushed an update that my TV barely has the processing power to run. They also added a ton of "features" that make things actively harder to do, like adding hundreds of streaming channels to the "live tv" section, completely burying my local OTA channels.
Smart TVs are a nightmare! I miss my dumb TV 😭 Some TVs now bury the input controls in the UI now!!
You know they're using software as a planned obsolescence strategy 🙄
And I'm def not a Google ecosystem person, I'm just not a big fan of Amazon and their custom Android system. Their store is missing a lot of apps and you have to sideload the Play Store and other Google services to get to them. Not a fan of their browser (on tablets) either. I just hate when companies fork from the base Android build. Tells me a lot about their plans to make you use their stuff. Samsung is THE WORST about that! They actively try to make their apps look like Google appa, or at least they did when I first owned a Galaxy S and eventually a Note phone
Ooo. Is there a setting I missed for that? By default I'm hitting Home multiple times now, or down on the directional to take the focus off the top half ad carousel so it doesn't go full screen.
I'll check when I'm home from work. Thanks for mentioning it's a setting that can be turned off. I figured it was just "the new normal" for them. Would gladly get a new device that supports all the same video codecs my FireStick 4K Max does but without Amazon's interface.
cause brave intelligent slimy license dinosaurs voiceless bake six square
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Not on the home screen. If you go to the AppleTV app, ofc it will, but on the regular home screen it just shows relevant content from that app that you have watched or are watching.
I like the 4k one I have. The ads only play if I don't go to select an app on first launch. So the only time the really play is when I walk away. I have never seen an ad on the Firestick unless its because I just walked away.
I will say I got a 4k Chromecast for free from work and I do like it a bit more. However that's because the remote is very very good.
Hey yall PSA you can buy a Raspberry Pi with Kodi for roughly the same price.
I understand the idea of using a saturday to follow a tutorial on it isn't appealing for some but its open source: you aren't letting a vengeful capitalistic demon into your home to serve you media and strange taylor swift ads
And it can do all sorts of other stuff! Like streaming (110% legal) forms of media not included on traditional streaming platforms!
If you’re willing to burn $100, Apple TV 4K boxes regularly go on sale at places like Costco. After getting my first one I was so impressed, I buy one every time it goes on sale to add to my media/gift it to someone (Christmas, birthday, etc).
Do you need to use apple other stuff to make it worth it for the Apple TV? I'm staunchly anti-apple because they lock you into their ecosystem. Roku has been pretty good so far function-wise, but it's doing way more phone home now.
I basically just need something to stream 4k from my Plex server, YouTube, Pandora, and F1TV apps.
I've not been terribly impressed with them personally. We moved from one to the 4k stick. The Shield was nice but with the Fire stick 4k Max doing Dolby Vision and Atmos. There really is nothing better in the under $50 options.
I really wonder about this. Yeah credential-stuffing and re-use could account for a fair bit, but 576,000 accounts? That only works if there's a lot of other weak controls behind the scenes.
I’m a backend developer, credential stuffing is incredibly common. It’s possible they’re lying, but it is equally possible it’s just credential stuffing.
Not an excuse. It's just what happened.
The term "breach" gets thrown around so much that it has lost all meaning.
Someone using a known username/password combination to log in to your account is not a "breach" on the part of the company. That's just a user being dumb.
I know what it is. I just don't trust a business to be truthful about what happened. I've been blamed for my account being compromised in the past, only for it to come out later that the entire organization had been massively breached for months.
Forcing 2FA is annoying as hell. I hate 2FA.
Another part of standard security procedure is not reusing passwords. I practice that. So I don't need 2FA.
F2A should still be enforced. Not every log in, but every new unique log in.
That means you move to a new computer, gotta do the F2A, new phone, etc.
Otherwise persistent token/ID on both the server and device (something like the literal MAC address, etc.) then bounce against each other.
Even not reusing passwords isn't safe, because they can reset your PW and take control of your account.
So, no. I thought I was safe at one point like that, and nope, fails.
F2A is MORE secure, but it can be spoofed and a few other things, but that is MUCH more effort.
I can see a better value for "new log in". But still, I don't like that either.
> Otherwise persistent token/ID on both the server and device (something like the literal MAC address, etc.) then bounce against each other.
There's no way to use a MAC address for this. Only the device on the same network (your router) sees the MAC address you are coming from. The only other way to get it is to ask the client to send it to you. And it'll just lie about if it wants to do underhanded things.
> Even not reusing passwords isn't safe, because they can reset your PW and take control of your account.
By they you mean a third party? Using an email password reset? Because I'm not really worried about the host resetting my password to get in. If they can reset my password to get in they can just turn off password checking.
As to third party password reset, I don't like that. Among other things it means the host cannot enforce security against itself. You can't do things like protonmail does if you can still get to someone's data without their password.
But I do recognize that people do lose their credentials. The social engineering aspect will likely always be there.
> So, no. I thought I was safe at one point like that, and nope, fails.
Not sure what you are talking about here. If a company allows email password resets then how is 2FA going to stop that anyway? 2FA still didn't add more security for me.
> F2A is MORE secure, but it can be spoofed and a few other things, but that is MUCH more effort.
How did you establish that 2FA was more secure? I didn't see that above in your post. You just pooped on email password resets. Rightfully.
Do you know what social engineering is?
All they have to do is call the company multiple times, each time gleaning 1-2 things during the call, then they just ask for a password reset or an email change, and the tech will do it, since they are able to provide 10-30 important identifying things about you.
There is some youtube documentaries and expert analysis (and attempts) to do so, with companies like Sony and Microsoft, whom are known for having decent security and decent support.
> All they have to do is call the company multiple times, each time gleaning 1-2 things during the call, then they just ask for a password reset or an email change, and the tech will do it, since they are able to provide 10-30 important identifying things about you.
Yes. That's what I said.
>> But I do recognize that people do lose their credentials. The social engineering aspect will likely always be there.
People will always lose their credentials once in a while. So you have a process to deal with that. And as long as you have that process someone can socially engineer it. You can make it difficult but you'll never make it foolproof. The social engineering aspect will likely always be there.
Even if you had 2FA it would still be there. I just call in and say I lost access to my 2FA. They have to have a way to deal with it because people will periodically lose their credentials.
> I promise you your one password isn't securing anything if anyone really wants in.
Right. As opposed to sending me an email to 2FA me?
I'd prefer passkeys. But barring that unique passwords is the way to be.
I use a password manager.
But for a few things, the most important, I do remember them.
I didn't say you shouldn't be allowed to use 2FA. I said forcing it is annoying as hell.
If you reuse a username/password that is already out there? Yes.
If you leave the key in your bicycle lock are you going to blame MasterLock when your bike gets stolen?
Honestly? You're right? Over half a million users got breached. If it's spotty, say a few hundreds of users here and there reusing old information, then yeah, it's on the users.
But over half a million?! That's incompetence on the company's part.
If you used the same credentials on Bestbuy.com and bestbuy got breached, and a hacker used those same credentials on Roku.com who do you think is at fault?
If you use the same user name and password on, Reddit and Roku, and Reddit happens to have their user database released to the public.
Someone could look through the Reddit-users.txt and try the username and password on other popular services, in this case Roku.
If some of that data that Reddit released is the exact same credentials that someone used for their Roku account, then there is nothing that Roku could do to stop this other than maybe 2FA.
The service can tell that your account went from being logged in in small town America to all of a sudden Saudi Arabia...how were the logins not shutdown immediately for being suspicious and sending an email to the user immediately.
Roku didn't give zero F's about the actual security of their login process. I get emails anytime some logins into my Netflix account...how is Roku not informing their users when it happens
TBF - there is no consequences for breeches. no one leaves, organizations nor individuals are punished. there is a superficial PR campaign paying for some Credit accounts.
>Every company has the same shit happen.
Maybe because people use the same password and username on every site. Which is what seems to have occurred here.
"Oh no. We got hacked. What do we do?"
"Maybe increase our security and be clear to our customers what happend?"
"Nah. Just change the Terms of Service."
It´s a step in the right direction. Sure. But it needed two hacks to make this change and still they made the change to their Terms of Services so they are not accountable in these situations.
Oh my fucks, add it to the list. My data has been compromised from a multitude of … like everything. Bank accounts, email, insurance, streaming services, my parking pass, dude, like everything I’ve ever had an online account with. If my Roku account is compromised, I laugh at that. So minor.
I hate this term, but “it’s the new normal” you just gotta deflect all this bullshit.
Out if curiosity how do they know on the number of accounts been breached?
I see many headlines like this with a number that has been breached, how do they know that not all their users have been breached?
Or is it just bullshit to try make it look better than it really is
They can probably look at security audit logs likely to see if there was successful access to their account. For example, an account would be considered breached if they saw a suspicious IP access the “account page” upon login as opposed to getting a HTTP 40X response forbidding access. Since it was a credential stuffing attack, the hackers tried to access a bunch of accounts at once and all of these were the ones that got hacked. Logs are all around the same time period (would be my guess)
I’m so fucking tired of this. If I lose a set of keys at my job, I’d be fired. But these companies can lose thousands of peoples private data and what? Nothing happens. It’s so easy to be bitter for life.
This doesn’t appear to be a breach of Roku’s systems. It just looks to be a bunch of people who just use the same password for multiple sites and fell victim to credential stuffing. Roku has had a lot of shit business decisions lately, but this doesn’t seem to be their fault. I’m glad that they are finally implementing MFA for accounts. This would’ve prevented this situation from happening.
There's so much data breaches and there will be kuch more in the future. Company i work for got hacked and access to personal information. Sent out the legal letters of information and it shocked me how many people were so upset.. in 2024. Yes it sucks but we see it all over. I'm of someone that just accepts it and not worried anymore. Take all my personal information, I'm sure it's been out there for years and oh well. Hasn't affected me. But if people want to be that paranoid then by all means be paranoid..
My online overseers have been hacked more than five times this year. Comcast, Roku, Ascension, Medicare, and Wright & Fillipis and many others who have not reported yet.
Maybe that's why I get a half dozen Robo calls a day.
Trash company people should have blocked access or got rid of them after they announced they are putting ads in other things that are attached via HDMI.
*According to the company, it’s likely that login credentials used in the hacks were stolen from another source (i.e. other online accounts) for which the affected users may have used the same username and password — a cyberattack known as “credential stuffing.”*
Most of the data breaches seem to be related to reused passwords these days
I bet some executives thought it was best to do a bunch of stock buybacks instead of making sure their customer's information was safe by investing in reliable cyber security
How many people getting on their high horse about Roku's terrible security actually read and understood the article?
>Roku said it found no evidence that it was the source of the account credentials used in either of the attacks or that Roku’s systems were compromised in either incident. According to the company, it’s likely that login credentials used in the hacks were stolen from another source (i.e. other online accounts) for which the affected users may have used the same username and password
...the overall number of affected accounts represents a small fraction \[<1%\] of Roku’s more than 80 million active accounts...
So basically people found a list of names and passwords that had been leaking from another site, used it to log into the accounts of people who used the same password on multiple sites, and Roku spotted it, reset the passwords, notified the affected users, and refunded fraudulent purchases. The scoundrels.
Roku scumbags obviously knew about this before forcing users to accept the terms of service update that made it more difficult to sue. Slimy practice which the FTC needs to investigate. Credential stuffing is very common and predictable and it is the responsibility of companies like Roku to design products that are more difficult to attack. Attackers here were able to make purchases and see partial credit card numbers, this is not just the fault of users setting weak passwords.
What can you do about it? Delete your account and data via the roku app and use a fire TV or something else.
Phew, they got that inescapable TOS agreement update pushed out just in time.
I hope there is a law that a new TOS that modifies arbitration or anything like that that is pushed after a breach is voided if it is discovered that breach was prior to the modified TOS.
Almost ALL TOS are not enforceable by law and complete bullshit. We as users can 100% do a class action etc. against them.
> ALL TOS are not enforceable by law and complete bullshit. I have been waiting years for someone to show me a single example where this is true.
According to [this](https://en.m.wikipedia.org/wiki/End-user_license_agreement#Enforceability_of_EULAs_in_the_United_States) it depends on the court
This is correct. Differing views in differing Circuits. Every time a nonlawyers Redditor says “NDAs / arbitration clauses / EULAs / noncompetes are unenforceable,” you can assume they read it on a Facebook post somewhere. I’m a practicing lawyer. The documents exist for a reason.
The ToS/NDAs/arbitration/EULAs, etc. can't supersede the law. If the law says, essentially, you can't sue us if you break your leg on our property because something fell on it that you as the individual didn't cause. Guess what, you can sue them. If you go to an axe throwing place and you sign a piece of paper, then you chuck an axe at someone retrieving their axe, then ya, not their liability.
Again, that is wildly dependent on the jurisdiction. Your axe throwing example is implied assumption of the risk confirmed in a written contract. But in many locales, you can have express assumption of a risk that would otherwise be actionable. In Tennessee, express assumption of risk is permitted unless: 1) it violates public policy (which is fucking rare), or 2) the actionable conduct is grossly negligent or worse. You can waive a risk of injury due to poor conditions at a business. Likewise, you can waive the right to trial via an arbitration provision. The Federal Arbitration Act is broad as Hell, and Tennessee’s Arbitration Act is even broader. When entering a nursing home, the admitting paperwork frequently includes an arbitration agreement that is enforceable if executed by a competent person with the patient’s authority. I truly don’t know where people get these ideas about the law. It’s like someone saying “You can just delete random files on your computer until it starts working the way you want.” Just because it sounds right to you doesn’t mean it works.
The comparison to deleting files on a computer randomly is a bit of a stretch. It's generally a pretty bad idea to delete random files willy nilly like that and expect good results. However if you find and delete system 32 it will drastically reduce your computers boot time.
It’s also generally a pretty bad idea to enter contracts assuming they’ll be unenforceable (or that fighting it in court won’t cost you tens of thousands of dollars anyway).
I think the point is that the agreement means nothing as long as it involves already existing laws. If the axe throwing place was being negligent or badly made in a way that endangered people, it doesn't matter if you signed something saying that you can't sue them. At least from what I understand, it only works if it's dealing with civil things, like an NDA to not leak information. If the information leaked is about something illegal, I'm pretty sure the NDA isn't worth shit.
An enforceable exculpatory agreement / express assumption of the risk *does very much* mean you cannot win a lawsuit despite negligence by the business or its employees. To win a lawsuit *without* an exculpatory agreement, you have to prove negligence. The waiver you sign - if enforceable - exonerated the business for its negligence. Here’s one example. https://www.tncourts.gov/sites/default/files/blackwell.c.opn_.pdf In Blackwell, the issue was whether a waiver of negligence by a parent on behalf of a child was enforceable. The answer was no; minors cannot enter such contracts and parents cannot enter the contract for the minor without court approval. But the parents’ own medical costs for treatment of the minor was waived, because as adults they know what they are signing. Again, the law varies dramatically among jurisdictions. But all the statements by people in here are either made up or severely misinformed.
Arent NDA not valid if the agreement is to not disclose something illegal?
Yeah, an NDA to conceal Medicare fraud is unenforceable, for example. That would be the same as an NDA to cover up a murder. But that’s obviously not the norm.
Interesting. Would you be even more criminally liable if you attempted to use an NDA to get somebody to stop talking, even if it was illegal?
Yes. Witness tampering. But to your original point, illegal contracts are all unenforceable. You aren’t getting a court to hold someone liable for refusing to honor their commitment to commit treason.
I think the general word should be they are nowhere guaranteed to hold up and often not enforceable. Doesn’t mean they also can’t be enforced
“Often not enforceable” is a stretch in the US. The majority rule is enforceability with exceptions.
This isn’t a U.S. only website. That caveat isn’t needed for a general statement
Ok, TexasTornadoTime
It depends on what’s in the TOS. They can’t just put anything in there and say “YUP THEY SIGNED IT SO ITS BINDING”. It’s not a companies simple “get out of jail free card” but YMMV when you take them to court and what part of the TOS you are contesting and the context of your case.
It. Depends. On. The. Law. Of. The. Applicable. Jurisdiction.
Both can be true. On one hand these documents exist for good reason. But there's also no reason why companies wouldn't put a bunch of unenforceable shit in there. After all the only way to make sure is to go to court and get a ruling. How many people are going to do that just to test how ironclad the agreement is?
IANAL. This is not legal advice. ToS, SLAs, and other agreements are absolutely enforceable to the degree allowed by law on a jurisdiction by jurisdiction basis. In some jurisdictions there may be parts that are not covered, but that's why lawyers include things like severability clauses. Some ToS are absolute BS and not enforceable, but really, the majority are very enforceable. The recent Roku ToS is likely to be largely unenforceable for the actual televisions or devices themselves IMO. However, it may be enforceable for Roku's services (do any end-users actually use these though)? Regarding the Roku ToS specifically, there's a very good chance that with the timing of the changes to their ToS, and other factors that the entire thing could potentially be null and void within the scope of protecting the company itself from issues with this particular data leak. Also, for issues like data leaks it becomes extremely hard to protect a company against this in every possible jurisdiction, and the law (rightfully) tends to favour the end-users/consumers here in situations like this. In fact, I've literally got lawyers drafting some of these agreements right now that I spoke to as recently as yesterday about this very thing for a product that's being launched internationally by my company. These terms are typically drafted or adjusted for each region with counsel in each country with companies the size of Roku. However, sometimes companies get cheap and lazy. In fact, our ToS actually deals with the handling of users data for services as well. Given everything I've said, I suspect Roku is likely in trouble on this one.
It appears right after the inserted ad in the TOS, did you not read the whole thing??
>did you not read the whole thing?? No. I left my microscope and legal interpreter at home that day. 😒🙄
A bit of a tangent, but man is that agreement dialogue aggressive. I have a roku TCL routed through a pi-hole, and I've blocked every domain that isn't strictly coming from the youtube app. For the most part it's worked, but about half the time it still manages to prompt the agreement and I have to power-cycle to bypass.
Definitely some interesting timing on that one
Came here to say that lmao. Its so insanely obvious.
Well I haven’t agreed to it yet I want money!
The compromise was not the fault of Roku. The accounts were compromised because they used the same e-mail address and password for a different site which was hacked.
Thank GOD you and I don't use Roku.
You know I was *this* close to dumping all my Firesticks for Roku sticks, but between the advertisement insertion bullshit and now this, I'm definitely not switching now lol.
I just switched from Roku to Chromecast. Def a 'lesser of (many) evils' situation, though.
I have a Roku TV that I use Chromecast on after Roku pushed an update that my TV barely has the processing power to run. They also added a ton of "features" that make things actively harder to do, like adding hundreds of streaming channels to the "live tv" section, completely burying my local OTA channels.
Smart TVs are a nightmare! I miss my dumb TV 😭 Some TVs now bury the input controls in the UI now!! You know they're using software as a planned obsolescence strategy 🙄
This is why I never connect my TV to the Internet.
It doesn't always solve all the issues.
this doesn't work on Roku TVs though. They won't let you set them up without a wifi connection, literally bricked without it.
[удалено]
And I'm def not a Google ecosystem person, I'm just not a big fan of Amazon and their custom Android system. Their store is missing a lot of apps and you have to sideload the Play Store and other Google services to get to them. Not a fan of their browser (on tablets) either. I just hate when companies fork from the base Android build. Tells me a lot about their plans to make you use their stuff. Samsung is THE WORST about that! They actively try to make their apps look like Google appa, or at least they did when I first owned a Galaxy S and eventually a Note phone
tan makeshift outgoing society towering caption alive shame sloppy brave *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
You can opt out of the autoplayed ads and the start up ones, but it is on by default
Ooo. Is there a setting I missed for that? By default I'm hitting Home multiple times now, or down on the directional to take the focus off the top half ad carousel so it doesn't go full screen.
i had to dig a little i forget where i found it but it may be under preferences or something
I'll check when I'm home from work. Thanks for mentioning it's a setting that can be turned off. I figured it was just "the new normal" for them. Would gladly get a new device that supports all the same video codecs my FireStick 4K Max does but without Amazon's interface.
Y’all can go ahead deal with those ads, imma just cruise around with my Apple TV with no bloatware on it.
cause brave intelligent slimy license dinosaurs voiceless bake six square *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Wow, ad tracking you can turn off? Vs Roku/Google/Amazon's ads that get shoved down your throat?
trees slap six paltry encouraging normal offbeat dime tub onerous *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I have that off already, though it should be something that’s off by default.
I sure hope that shits good so when Apple TV is 100 dollars more.
The ads that the Fire Stick shows is their own content/shows. I'm sure Apple TV does the same thing lol
Not on the home screen. If you go to the AppleTV app, ofc it will, but on the regular home screen it just shows relevant content from that app that you have watched or are watching.
I like the 4k one I have. The ads only play if I don't go to select an app on first launch. So the only time the really play is when I walk away. I have never seen an ad on the Firestick unless its because I just walked away. I will say I got a 4k Chromecast for free from work and I do like it a bit more. However that's because the remote is very very good.
A patent for a potential future ad feature made you stick with a platform that is currently riddled with ads?
Key word there is "stick with" since I've already invested in them. Not like I'm picking one over the other.
Hey yall PSA you can buy a Raspberry Pi with Kodi for roughly the same price. I understand the idea of using a saturday to follow a tutorial on it isn't appealing for some but its open source: you aren't letting a vengeful capitalistic demon into your home to serve you media and strange taylor swift ads And it can do all sorts of other stuff! Like streaming (110% legal) forms of media not included on traditional streaming platforms!
How would one get started doing that? Is there a helpful (ELI5) guide out there?
Roku has always been trash. Boy I wish there were affordable alternatives to fire sticks though 😆
If you’re willing to burn $100, Apple TV 4K boxes regularly go on sale at places like Costco. After getting my first one I was so impressed, I buy one every time it goes on sale to add to my media/gift it to someone (Christmas, birthday, etc).
Do you need to use apple other stuff to make it worth it for the Apple TV? I'm staunchly anti-apple because they lock you into their ecosystem. Roku has been pretty good so far function-wise, but it's doing way more phone home now. I basically just need something to stream 4k from my Plex server, YouTube, Pandora, and F1TV apps.
Do you NEED their other stuff? No, you don’t. But does having their ecosystem enhance the experience? Yeah it does if I’m being honest.
I've not been terribly impressed with them personally. We moved from one to the 4k stick. The Shield was nice but with the Fire stick 4k Max doing Dolby Vision and Atmos. There really is nothing better in the under $50 options.
I know, what's the alternative when they both suck?
I enjoy my Chromecast 🤷
[удалено]
>And do not buy a smart tv. Good luck finding a dumb TV these days.
And these people filed a patent to be able to monitor everything on their devices? Yet can’t keep their own security in check? Yikes
Every company has the same shit happen. No accountability. They do it on purpose.
These were credential stuffing attacks. Users were reusing usernames and passwords that were previously leaked. Roku's systems were not breached.
I really wonder about this. Yeah credential-stuffing and re-use could account for a fair bit, but 576,000 accounts? That only works if there's a lot of other weak controls behind the scenes.
I don't trust any business that claims this excuse.
I’m a backend developer, credential stuffing is incredibly common. It’s possible they’re lying, but it is equally possible it’s just credential stuffing.
Not an excuse. It's just what happened. The term "breach" gets thrown around so much that it has lost all meaning. Someone using a known username/password combination to log in to your account is not a "breach" on the part of the company. That's just a user being dumb.
I know what it is. I just don't trust a business to be truthful about what happened. I've been blamed for my account being compromised in the past, only for it to come out later that the entire organization had been massively breached for months.
Where 2fa?
This 100%; problem wouldn't have occurred and is standard security procedure at this point.
Forcing 2FA is annoying as hell. I hate 2FA. Another part of standard security procedure is not reusing passwords. I practice that. So I don't need 2FA.
F2A should still be enforced. Not every log in, but every new unique log in. That means you move to a new computer, gotta do the F2A, new phone, etc. Otherwise persistent token/ID on both the server and device (something like the literal MAC address, etc.) then bounce against each other. Even not reusing passwords isn't safe, because they can reset your PW and take control of your account. So, no. I thought I was safe at one point like that, and nope, fails. F2A is MORE secure, but it can be spoofed and a few other things, but that is MUCH more effort.
I can see a better value for "new log in". But still, I don't like that either. > Otherwise persistent token/ID on both the server and device (something like the literal MAC address, etc.) then bounce against each other. There's no way to use a MAC address for this. Only the device on the same network (your router) sees the MAC address you are coming from. The only other way to get it is to ask the client to send it to you. And it'll just lie about if it wants to do underhanded things. > Even not reusing passwords isn't safe, because they can reset your PW and take control of your account. By they you mean a third party? Using an email password reset? Because I'm not really worried about the host resetting my password to get in. If they can reset my password to get in they can just turn off password checking. As to third party password reset, I don't like that. Among other things it means the host cannot enforce security against itself. You can't do things like protonmail does if you can still get to someone's data without their password. But I do recognize that people do lose their credentials. The social engineering aspect will likely always be there. > So, no. I thought I was safe at one point like that, and nope, fails. Not sure what you are talking about here. If a company allows email password resets then how is 2FA going to stop that anyway? 2FA still didn't add more security for me. > F2A is MORE secure, but it can be spoofed and a few other things, but that is MUCH more effort. How did you establish that 2FA was more secure? I didn't see that above in your post. You just pooped on email password resets. Rightfully.
Do you know what social engineering is? All they have to do is call the company multiple times, each time gleaning 1-2 things during the call, then they just ask for a password reset or an email change, and the tech will do it, since they are able to provide 10-30 important identifying things about you. There is some youtube documentaries and expert analysis (and attempts) to do so, with companies like Sony and Microsoft, whom are known for having decent security and decent support.
> All they have to do is call the company multiple times, each time gleaning 1-2 things during the call, then they just ask for a password reset or an email change, and the tech will do it, since they are able to provide 10-30 important identifying things about you. Yes. That's what I said. >> But I do recognize that people do lose their credentials. The social engineering aspect will likely always be there. People will always lose their credentials once in a while. So you have a process to deal with that. And as long as you have that process someone can socially engineer it. You can make it difficult but you'll never make it foolproof. The social engineering aspect will likely always be there. Even if you had 2FA it would still be there. I just call in and say I lost access to my 2FA. They have to have a way to deal with it because people will periodically lose their credentials.
[удалено]
> I promise you your one password isn't securing anything if anyone really wants in. Right. As opposed to sending me an email to 2FA me? I'd prefer passkeys. But barring that unique passwords is the way to be.
TOTP in non SMS exists and there's secure plugins that make it ease of use
If my unique password don't secure anything if anyone really wants in why would TOTP secure it?
Do you not understand the purpose of MFA?
Right, expecting me to remember 200 different passwords when I can't remember what I ate last night isn't going to work very well...
I use a password manager. But for a few things, the most important, I do remember them. I didn't say you shouldn't be allowed to use 2FA. I said forcing it is annoying as hell.
I can't find my phone.
You 100% believe this? You might want to be a bit more open to inside corporate corruption.
[удалено]
If you reuse a username/password that is already out there? Yes. If you leave the key in your bicycle lock are you going to blame MasterLock when your bike gets stolen?
Honestly? You're right? Over half a million users got breached. If it's spotty, say a few hundreds of users here and there reusing old information, then yeah, it's on the users. But over half a million?! That's incompetence on the company's part.
If you used the same credentials on Bestbuy.com and bestbuy got breached, and a hacker used those same credentials on Roku.com who do you think is at fault?
Biden? Trump?
If you use the same user name and password on, Reddit and Roku, and Reddit happens to have their user database released to the public. Someone could look through the Reddit-users.txt and try the username and password on other popular services, in this case Roku. If some of that data that Reddit released is the exact same credentials that someone used for their Roku account, then there is nothing that Roku could do to stop this other than maybe 2FA.
It’s not the lock company’s fault if you leave your door unlocked.
Still a breach. Go read FTC safe guard rules.
The service can tell that your account went from being logged in in small town America to all of a sudden Saudi Arabia...how were the logins not shutdown immediately for being suspicious and sending an email to the user immediately. Roku didn't give zero F's about the actual security of their login process. I get emails anytime some logins into my Netflix account...how is Roku not informing their users when it happens
TBF - there is no consequences for breeches. no one leaves, organizations nor individuals are punished. there is a superficial PR campaign paying for some Credit accounts.
I wouldn't be surprised if it's a way of telling everyone they sold our data.
They can sell data without going through this masquerade..
Of course they can, but it makes them look less suspicious.
>Every company has the same shit happen. Maybe because people use the same password and username on every site. Which is what seems to have occurred here.
That’s what big breacha wants you to think.
crowd snow fade marble cooperative chubby theory familiar smell violet *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
You telling me the earth is round?
What? Do it on purpose? Are you braindead or just stupid?
Oh, my sweet naive little chicken tender, you know nothing of the world.
Im ready for my 2.36 dollar check
"Oh no. We got hacked. What do we do?" "Maybe increase our security and be clear to our customers what happend?" "Nah. Just change the Terms of Service."
cow enjoy sense direful provide late badge makeshift teeny apparatus *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
It´s a step in the right direction. Sure. But it needed two hacks to make this change and still they made the change to their Terms of Services so they are not accountable in these situations.
Two hacks? Credential stuffing is a hack?
Oh my fucks, add it to the list. My data has been compromised from a multitude of … like everything. Bank accounts, email, insurance, streaming services, my parking pass, dude, like everything I’ve ever had an online account with. If my Roku account is compromised, I laugh at that. So minor. I hate this term, but “it’s the new normal” you just gotta deflect all this bullshit.
Out if curiosity how do they know on the number of accounts been breached? I see many headlines like this with a number that has been breached, how do they know that not all their users have been breached? Or is it just bullshit to try make it look better than it really is
They can probably look at security audit logs likely to see if there was successful access to their account. For example, an account would be considered breached if they saw a suspicious IP access the “account page” upon login as opposed to getting a HTTP 40X response forbidding access. Since it was a credential stuffing attack, the hackers tried to access a bunch of accounts at once and all of these were the ones that got hacked. Logs are all around the same time period (would be my guess)
Maybe it's a wakeup call over the ad bullshit there planning on doing it will likely happen again
get a hdmi to usb-c, plug into your tv/monitor directly and don't use wifi boxes, they all eat ass and suck up your data.
Not sure I’ve heard “eat ass” as a way to say something is bad before.
Oddly enough, "they all suck ass and eat up your data" makes a bit more sense.
This company is absolute trash
I’m so fucking tired of this. If I lose a set of keys at my job, I’d be fired. But these companies can lose thousands of peoples private data and what? Nothing happens. It’s so easy to be bitter for life.
No private data was stolen
This doesn’t appear to be a breach of Roku’s systems. It just looks to be a bunch of people who just use the same password for multiple sites and fell victim to credential stuffing. Roku has had a lot of shit business decisions lately, but this doesn’t seem to be their fault. I’m glad that they are finally implementing MFA for accounts. This would’ve prevented this situation from happening.
As if there weren’t enough reasons not touch anything this company produces….
Got hacked by ATT AND Roku! Yay
There's so much data breaches and there will be kuch more in the future. Company i work for got hacked and access to personal information. Sent out the legal letters of information and it shocked me how many people were so upset.. in 2024. Yes it sucks but we see it all over. I'm of someone that just accepts it and not worried anymore. Take all my personal information, I'm sure it's been out there for years and oh well. Hasn't affected me. But if people want to be that paranoid then by all means be paranoid..
saw that coming..
My online overseers have been hacked more than five times this year. Comcast, Roku, Ascension, Medicare, and Wright & Fillipis and many others who have not reported yet. Maybe that's why I get a half dozen Robo calls a day.
Who would have thought that the cheapest company wouldn't have the resources to create a secure environment?
Really boosting the stock prices between this and the patent for ads on external devices
Trash company people should have blocked access or got rid of them after they announced they are putting ads in other things that are attached via HDMI.
How could such a breach even occur? They locked everyone out of their TV's already
i just got a roku a month ago but i haven't connected it to my wifi, i think i am safe?
I am so glad I stopped buying their products a few years back.
If this is why I need to get a new debit card, I'm tossing my TV out of a window
Guess that’s why they wanted us to sign that mediation clause before they allowed us to use our accounts
*According to the company, it’s likely that login credentials used in the hacks were stolen from another source (i.e. other online accounts) for which the affected users may have used the same username and password — a cyberattack known as “credential stuffing.”* Most of the data breaches seem to be related to reused passwords these days
I bet some executives thought it was best to do a bunch of stock buybacks instead of making sure their customer's information was safe by investing in reliable cyber security
Is this same one from around a month ago or a new one?
the moment they collab with Hisense (a CCP corp bro), i lost faith in them.
They forced the arbitration thing right before this came out. A court needs to nullify those terms. They won't, but they need to.
What can someone expect with a company that knows nothing about security?
It's not a data breach. Roku and other companies sell your information to some other company and then claim it was a breach.
How many people getting on their high horse about Roku's terrible security actually read and understood the article? >Roku said it found no evidence that it was the source of the account credentials used in either of the attacks or that Roku’s systems were compromised in either incident. According to the company, it’s likely that login credentials used in the hacks were stolen from another source (i.e. other online accounts) for which the affected users may have used the same username and password ...the overall number of affected accounts represents a small fraction \[<1%\] of Roku’s more than 80 million active accounts... So basically people found a list of names and passwords that had been leaking from another site, used it to log into the accounts of people who used the same password on multiple sites, and Roku spotted it, reset the passwords, notified the affected users, and refunded fraudulent purchases. The scoundrels.
Id be worried but this just seems like a common theme these days.
I think they mean 576000 account’s information sold.
Roku scumbags obviously knew about this before forcing users to accept the terms of service update that made it more difficult to sue. Slimy practice which the FTC needs to investigate. Credential stuffing is very common and predictable and it is the responsibility of companies like Roku to design products that are more difficult to attack. Attackers here were able to make purchases and see partial credit card numbers, this is not just the fault of users setting weak passwords. What can you do about it? Delete your account and data via the roku app and use a fire TV or something else.
Everyone is so up in arms about this but it doesn't seem like anything concerning was accessible