Main points
- 576,000 Roku accounts were compromised due to credential stuffing.
- 400 accounts used for fraudulent purchases, password resets.
- 15,363 accounts were compromised in previous incidents and resets are critical. (117)
The company revealed that monitoring following an earlier security breach at Roku has uncovered a second incident affecting approximately 576,000 accounts. While it is believed that internal systems were not compromised and the attackers never obtained complete payment information, using login information stolen from other platforms automatically compromised accounts.
Best Roku streamers: The TV sticks tested by experts
There are many streaming devices out there, but few offer as wide a range of apps and channels as the best Roku devices.
This method, known as credential stuffing, is possible when people reuse the same username and password across multiple apps or websites.
Two-factor authentication for everyone
Roku said nearly 400 people’s accounts were used to fraudulently purchase subscriptions or streaming devices. In response to the latest attack, the company has reset passwords for everyone exposed in the incident and turned on two-factor authentication (2FA) for all users, regardless of whether they were involved. Customers will receive a verification link via email the next time they attempt to log into their Roku account and will need to click or tap the link to continue the login process. Fraud victims are having their charges dismissed or refunded.
In a previous breach that occurred between the end of December and the end of February, 15,363 customer accounts were compromised using the same automated credential stuffing method. A small number of people’s accounts were used to purchase subscriptions to services such as Max and Peacock, and attackers also attempted to resell login information for as little as 50 cents on stolen account marketplaces. It’s unclear whether the accounts in the latest incident have been sold, but as long as people follow Roku’s reset prompts, the information should be out of date. It is important to complete the reset as soon as possible to prevent any further fraud.
Both incidents are minor compared to some other security breaches, but could undermine confidence in Roku, which is generally viewed as a secure platform. The company urges users to create unique passwords that contain at least eight characters, mixing numbers, symbols, and lowercase and uppercase letters. It also warns about phishing attempts, in which criminals impersonate Roku via email and ask for sensitive information like payment or login credentials, or urge people to click on a link they don’t expect (despite a verification link). Genuine companies don’t solicit information in this way, and phishing attempts can often be spotted by false details, such as strange graphics or emails coming from addresses other than roku.com.
If your account has been compromised, you should receive a notification from Roku. If you don’t receive a prompt to reset your password, you can still reset it yourself by following these steps:
- On your phone, computer or tablet, open your web browser of choice and go to my.roku.com.
- On the login page, select forget the password?
- Enter Your email address.
- Click the reset link sent to your email and enter your new password.