Just wanted to share that someone is trying to hack into Roon accounts. They were 3 successful logins to my account from 3 different IPs. Luckily I got the “Roon Security Alert” e-mails and was able to change my password to something much stronger. In this case, it was my fault for using a super weak password that was pretty easy to “brute force”. My guess is that the hacking attempts are targeting the “community” forum’s login functionality and then ‘crawling’ the site for a credit card or other information.
I just wanted to let the community know, especially if you have a weak Roon password.
I’m sure someone from Roon would be a better resource…
In my case, I got a formatted e-mail that had a password reset button. You want to make sure that any URL is ‘official’. Something like “https://roonlabs.com/…”.
In this case, the e-mail forwards you to: https://roonlabs.com/reset?email=[YOUR_EMAIL_ADDRESS_HERE]
Clicking on that URL just sends another e-mail with reset instructions.
There is a feature request for Roon to use 2FA. I would add: with and authenticator app, not only SMS or email. If an unauthorized logon happens, it may be too late for mitigation.
Highly recommend using something last LastPass. It will generate a random character password for you and easily integrates in your browser to help your login’s.
I have recommendation for the additional security questions some sites have ( do not remember if Roon does it) - When they ask your for security questions create huge random strings and use that. Store them so don’t lose it. Otherwise, specially if you have social media, don’t use what they ask for. It could info easily inferred from your social media or your contacts. It is sometimes a pain, but well…
These saved my phone account - and this is important, since sites use your phone for 2FA. Someone tried to transfer it. When they were asked for mom’s maiden name, they tried the right one. I don’t have anything other than Linked in. But probably they got it from a contact… or even inferred from that.
Of course, instead of the real answer, I had a 256 chars long random string. The phone company gave me the pleasure to let me know they told the criminal “you are never gonna get it, you are a criminal!”
The real danger isn’t with Roon. Once hackers get hold of an email/password they will run these against any number of commonly used websites to see of your password has been reused, for example Google or on-line banking accounts or Amazon. Beware!
There is a huge market for accounts netflix/amazon ect,there is loads of dedicated forums on telegram discord selling everthing from vpn account s,which I’ve been guilty of buying to tidal and quboz selling for as low as a $1 for the information,I actually seen a member request passwords for sale for roon last week so id suggest change ur password on a regular basis.