Following a recent security breach that exposed over 15,000 Roku accounts, the company revealed today that a second breach has affected more than 576,000 accounts.
According to a statement on its official website, Roku clarified that there is no evidence to suggest that the company's systems were compromised or that the account credentials were obtained from Roku. The login details used in the breaches were likely acquired from another source, where affected users might have reused the same username and password combination. This type of cyberattack is commonly referred to as "credential stuffing."
Roku mentioned that in under 400 instances, the "malicious actors accessed the accounts and made unauthorized purchases of streaming services subscriptions and Roku hardware using the payment information stored in these accounts. However, no sensitive data such as full credit card numbers or complete payment details were exposed."
The company has taken steps to reset the passwords for the affected accounts and has directly contacted the customers involved in the breach. Additionally, Roku is in the process of refunding or reversing any unauthorized charges made by the perpetrators.
Moreover, all Roku accounts now have two-factor authentication enabled, regardless of whether they were affected by the security incidents. Users are advised to expect a verification link sent to their associated email the next time they log into their Roku account online.
"Although the number of impacted accounts is only a small portion of Roku's 80 million active accounts, we are implementing various controls and measures to identify and prevent future credential stuffing attacks," stated the company.
Roku recommended users to set up a "strong, unique password" for their accounts and to stay vigilant against any suspicious communications purportedly from Roku, like requests for payment updates, sharing login credentials, or clicking on dubious links.
"We deeply regret the occurrence of these incidents and any inconvenience they may have caused," the company expressed. "The security of your account is of utmost importance to us, and we are dedicated to safeguarding your Roku account."
This marks the second breach for Roku in recent times. In March, the company disclosed that hackers had breached over 15,000 user accounts.