After a security breach, understood to have affected 15,000 Roku accounts, came to light last month, Roku has revealed details of a second security incident impacting approximately 576,000 additional accounts.
The company became aware of the second incident while monitoring account activity following the first. Similar to the previous breach, Roku doesn’t believe it was the source of the latest incident, and claims its systems were not compromised in either attack.
Once again, Roku is suggesting that bad actors were able to access accounts after obtaining account details through credential stuffing – a cyber attack where details are obtained from one service and used to access another. In less than 400 cases, these malicious actors were able to log in and make unauthorized subscription and Roku hardware product purchases using the payment method on file.
In spite of these accounts being accessed, and used to make purchases, Roku says that the bad actors didn’t gain access to any sensitive information, including credit card numbers and payment details.
Also similar to the first incident, Roku has confirmed that it has already refunded or reversed charges for “the small number of accounts” that were used to purchase streaming service subscriptions and/or Roku hardware products. The company also says it has now reset the passwords for all affected accounts and owners are being notified about the incident.
As part of a much wider attempt to avoid another incident occurring, Roku has made the decision to automatically enable two-factor authentication (2FA) for all accounts. In other words, and regardless of whether an individual account was affected by either incident, account holders will be sent a verification link by email the next time they attempt to log in to their Roku account.
Leave a Reply