What you need to know
- Approximately 576,000 Roku accounts were accessed through a credential stuffing attack, the company confirmed in an April 12 statement.
- The latest attack comes a month after about 15,000 Roku accounts were breached through the same method of attack.
- While the hackers couldn't access "sensitive user information or full credit card information," they successfully made purchases within Roku using fewer than 400 breached accounts.
Roku suffered a limited security incident last month that left roughly 15,000 user accounts vulnerable, and now, another 576,000 have been impacted by a second attack. The company announced that over half a million accounts were fraudulently accessed through credential stuffing in an April 12 statement. While hackers were unable to access sensitive information, they were able to make purchases using a very limited number of Roku accounts.
Credential stuffing is a method of attack in which hackers use previously leaked login credentials on popular sites. That's why cybersecurity experts warn against using the same password on two different websites. If the password to one account is leaked in a hack, bad actors can try to use that same username and password combination to log in to another. Roku says that since this was a credential-stuffing attack, it was not the source of the login credentials used to breach the 576,000 accounts.
"There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident," the company explained in the statement. "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials."
Roku says that the hackers did not access sensitive information or full credit card information. However, in less than 400 incidents, the bad actors were able to purchase Roku hardware or subscribe to streaming services. In those cases, Roku refunds the users or reverses the transactions.
Roku will notify customers directly if they've been impacted by either account breach. Moving forward, the company will make two-factor authentication mandatory on all accounts to try to nix credential stuffing. After logging into Roku next, users will be prompted to verify their login with a link sent via email.
Since the company has 80 million active users, this breach is fairly small in the grand scheme of things. Still, if you have a Roku account, it's worth checking to see if you were affected. However, Roku automatically resets account passwords for affected users. Even if your account wasn't affected, be sure to practice good online security habits and use different passwords for each account you create. To make it less of a hassle, you can start using one of the best password managers.