Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Roku confirms second major cyberattack — over 500,000 accounts thought to be at risk

Roku remote next to iPhone with Roku logo on its screen.

Top TV streaming service Roku has confirmed suffering a second major cyberattack, with this one affecting more than half a million users. 

Late last week, Roku said that unnamed threat actors engaged in a second wave of credential stuffing attack, during which they managed to compromise 576,000 accounts. 

In the first wave, roughly 15,000 accounts were breached.

Compromised Gitlab

“After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts,” the company said in a breach notification. 

"There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident.”

Accessing accounts this way is always dangerous, as threat actors can obtain a vast database of valuable, personally identifiable information. 

However, in this incident, they did more than that, apparently: "In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information."

Credential stuffing is a type of attack in which hackers first obtain login credentials elsewhere (for example, on a dark web forum), and then try them on different services to see if they work. They often do, since many people use the same username/password combination across multiple services.

Roku said its servers were not the source of the data leak, and to tackle the issue, it reset the passwords for everyone involved, and set up mandatory multi-factor authentication (MFA). Even those accounts that were not compromised in this attack are now forced to use MFA.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.