This type of hack is called a credential stuffing attack, and it's not Roku's fault. Rather, the hack is partly made possible by customers using the same passwords for multiple accounts they own.