Roku announced a new data breach affecting hundreds of thousands of accounts on its streaming platform. The company recently announced that it had found evidence of unauthorized access to 576,000 Roku user accounts. This is in addition to the 15,000 accounts compromised in an earlier incident last month.
According to Roku, the attacks used a technique known as "credential stuffing," in which hackers use credentials obtained from other breaches to systematically try to access accounts on different services. The compromised credentials likely came from previous data breaches at unrelated sites where people reused passwords. In its advisory published today, Roku writes:
After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts.
While Roku"s systems were not directly hacked in this incident, malicious actors were able to exploit weak or stolen credentials to take over accounts via credential stuffing. In less than 400 cases, attackers made fraudulent purchases of streaming subscriptions and Roku hardware using payment methods stored in the compromised profiles.
As a precaution, Roku has reset passwords for all affected accounts. The company is also refunding customers who incurred unauthorized charges.
First, we have reset the passwords for all affected accounts and are notifying those customers directly about this incident. We also are refunding or reversing charges for the small number of accounts where we’ve determined that unauthorized actors made purchases of streaming service subscriptions or Roku hardware products using a payment method stored in these accounts. We also want to reassure customers that these malicious actors were not able to access sensitive user information or full credit card information.
Roku has also enabled two-factor authentication (2FA) by default for all accounts, whether affected by the recent incidents or not. When users next attempt to log in to their Roku account, a verification link will be sent to the registered email addresses.