Roku makes 80% of its money from advertising. Now they sell cameras, doorbells, and smart plugs. Your security camera data feeds into the same infrastructure that serves you TV ads. Roku knows what you watch AND when you're home. An advertising company now has cameras inside and outside your house. 576,000 Roku accounts breached. Then 15,000 more. Attackers used stolen passwords to log in and make purchases on victims' accounts. Roku had no two-factor authentication until after the breaches forced it. The company that wants cameras in your home couldn't secure the accounts those cameras connect to.
What they claim: Roku Smart Home promotes simple, affordable home monitoring
What we found: Roku's primary business is advertising — 80% of revenue comes from advertising and data licensing on its streaming platform. Roku Smart Home cameras, doorbells, and sensors feed into the same data infrastructure used for ad targeting. Roku's privacy policy allows combining smart home data (who's home, activity patterns) with streaming data (what you watch) to build comprehensive household profiles.
What they claim: Roku describes data collection as necessary for product functionality
What we found: In 2023, Roku disclosed a data breach affecting 576,000 accounts, followed by a second breach in 2024 affecting another 15,000 accounts. Attackers used credential stuffing to access Roku accounts and make fraudulent purchases. Roku responded by enforcing mandatory two-factor authentication — but the breaches exposed how much personal data Roku had accumulated across its streaming and smart home ecosystem.