Roku recently revealed a data breach where hackers accessed 15,363 accounts using “credential stuffing,” compromising credit card, password, and username details. On Friday, the company announced the discovery of a second security incident involving a new credential stuffing attack, impacting around 576,000 more accounts.
For the uninitiated, credential stuffing is an automated cyberattack where hackers utilize stolen usernames and passwords from one platform to try accessing accounts on other platforms. This tactic capitalizes on the common practice of individuals using the same login credentials across multiple services.
According to the company, Roku wasn’t the origin of the compromised account credentials nor were its systems breached in either security event. It’s likely that the attackers employed login credentials obtained from another source, possibly another online account, where affected users might have reused the same username and password across multiple platforms.
“In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information,” The company stated in a blog post on Friday.
“While the overall number of affected accounts represents a small fraction of Roku’s more than 80 million active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents.”
Upon discovering the second credential stuffing attack, Roku initiated password resets for all impacted accounts and is directly notifying affected customers about the incident.
The company is also refunding or reversing charges for the small number of accounts where it has been determined that unauthorized actors made purchases of streaming service subscriptions or Roku hardware products utilizing a payment method stored in these accounts.
However, the company assures its customers that these malicious actors were unable to access sensitive user information or full credit card details.
Furthermore, Roku has activated two-factor authentication (2FA) for all Roku accounts by default, including those unaffected by these recent incidents.
“We deeply regret the occurrence of these incidents and any inconvenience they may have caused. Your account security remains our utmost priority, and we are dedicated to safeguarding your Roku account,” the company concluded.
To enhance the security of customer accounts, the company recommends users to generate a strong, unique password for their Roku account. Additionally, it advises customers to stay vigilant and reach out to Roku’s customer support if they encounter any suspicious communications purportedly from Roku, such as requests to update payment details, share usernames or passwords, or click on dubious links.
0 Comments