Roku authorities reveal that more than 576K customer accounts were compromised in their latest Data Breach.
Earlier this year, Roku’s security monitoring systems detected an increase in unusual account activity. After a thorough investigation, it was determined that unauthorized actors had accessed about 15,000 Roku user accounts using login credentials (i.e. usernames and passwords) stolen from another source unrelated to Roku through a method known as “credential stuffing.”
Credential stuffing is a type of automated cyberattack where fraudsters use stolen usernames and passwords from one platform and attempt to log in to accounts on other platforms. This method exploits the practice of individuals reusing the same login credentials across multiple services. It was determined at that time that no data security compromise occurred in the Roku systems, and that Roku was not the source of the account credentials used in the attacks.
After concluding the investigation of the first incident, affected customers were notified in early March and the systems continued to be monitored for suspiciouus account activity to protect customers and their personal information. Through this monitoring a second incident was identified which impacted approximately 576,000 additional accounts.
There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials. In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.
Roku has since implemented a number of controls and countermeasures to detect and deter future credential stuffing incidents to protects it’s more than 80 million customers.
First, the company has reset passwords for all affected accounts and are notifying those customers directly about this incident. Refunds are being processed for the small number of accounts where we’ve determined that unauthorized actors made purchases of streaming service subscriptions or Roku hardware products using a payment method stored in these accounts.
As a part of the company’s ongoing commitment to information security, two-factor authentication (2FA) has been implemented for all Roku accounts, even for those that have not been impacted by these recent incidents. As a result, the next time a Roku user attempt to log in to a Roku account online, a verification link will be sent to the email address associated with the account, and you will need to click the link in the email before you can access the account.
2FA two-factor authentification adds an extra step to the login process. If you need assistance with logging in you can reachout to Roku’s Customer Support site for more information.
How you can help protect your account
Roku is committed to maintaining the privacy and security of your Roku account and empowering the users with information and tools to help safeguard their accounts:
- Create a strong, unique password for your Roku account. This makes it harder for someone to gain unauthorized access to your account. Use a mix of at least eight characters, including numbers, symbols, and lowercase and upper-case letters. Find more tips here: How to create a strong and secure password for your Roku account.
- Remain vigilant. Please be alert to any suspicious communications appearing to come from Roku, such as requests to update your payment details, share your username or password, or click on suspicious links. When in doubt over the authenticity of a communication, contact Roku Customer Support.
- Stay informed. In addition to blog posts and Support pages on Roku, be sure to check your email for communications from Roku and periodically log in to your Roku account to review your account charges.
Attractive section of content I just stumbled upon your blog and in accession capital to assert that I get actually enjoyed account your blog posts Anyway I will be subscribing to your augment and even I achievement you access consistently fast