Last month, Roku disclosed a data breach that allowed hackers to gain access to 15,363 accounts through a method known as “credential stuffing” and involved credit card, password, and username information being stolen.
The company on Friday announced it has discovered a second security incident in a new credential stuffing attack, which has affected approximately 576,000 additional accounts.
For those unaware, credential stuffing is a type of automated cyberattack in which fraudsters use stolen usernames and passwords from one platform to attempt to log in to accounts on other platforms.
This method exploits the practice of individuals reusing the same login credentials across multiple services.
According to the company, Roku was not the source of the account credentials used in these attacks, and Roku’s systems were not compromised in either security incident.
The attackers likely used login credentials taken from another source, like another online account, for which the affected users may have used the same username and password on multiple platforms.
“In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information,” the company wrote in a blog post on Friday.
“While the overall number of affected accounts represents a small fraction of Roku’s more than 80 million active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents.”
After discovering the second credential stuffing attack, Roku reset the passwords for all affected accounts and is notifying the affected customers directly about the incident.
The company is also refunding or reversing charges for the small number of accounts where it has been determined that unauthorized actors have made purchases of streaming service subscriptions or Roku hardware products using a payment method stored in these accounts.
However, the company reassures its customers that these malicious actors were not able to access sensitive user information or full credit card information.
Additionally, Roku has enabled two-factor authentication (2FA) for all Roku accounts by default, even for those that have not been affected by these recent incidents.
In order to help safeguard customer accounts, the company has advised its users to create a strong, unique password for their Roku account. It has also asked customers to remain alert and contact Roku’s customer support in case of any suspicious communications appearing to come from Roku, such as requests to update your payment details, share your username or password, or click on suspicious links.
“We sincerely regret that these incidents occurred and any disruption they may have caused. Your account security is a top priority, and we are committed to protecting your Roku account,” the company concluded.
