Popular American streaming service provider Roku has recently been the target of cyberattacks, with over 500,000 user accounts impacted in the latest breach. The company disclosed that unauthorized actors gained access to approximately 576,000 additional accounts while investigating a previous breach that affected 15,000 user accounts earlier in the year.
The breaches were carried out using a technique known as “credential stuffing,” where hackers utilize stolen usernames and passwords from other data breaches and attempt to access accounts on different platforms. In this case, it appears that the login information used in the attacks was sourced from third-party breaches rather than directly from Roku’s systems.
Despite the breach, Roku emphasizes that they were not the source of the compromised credentials and that their systems remained secure. While the breaches are concerning, Roku assures its users that sensitive information such as full credit card numbers or payment details were not compromised.
“We sincerely regret that these incidents occurred and any disruption they may have caused. Your account security is a top priority, and we are committed to protecting your Roku account,” the company said in a blog.
During the breaches, malicious actors made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment methods stored in the compromised accounts. However, Roku has reset passwords for all affected accounts, refunded or reversed charges for unauthorized purchases, and enabled two-factor authentication (2FA) for all accounts, regardless of whether or not they were impacted by the breaches.
Two-factor authentication adds an extra layer of security to user accounts by requiring a verification step in addition to the standard username and password login. This measure aims to prevent future credential stuffing incidents and enhance overall account security.
In addition to the immediate actions taken to address the breaches, Roku advises users to create strong, unique passwords for their accounts and remain vigilant against suspicious communications. They also recommend periodically reviewing account charges and staying informed about account security best practices.