Roku on Friday revealed a second security incident impacting 576,000 user accounts, following a recent hack that exposed over 15,000 accounts last month.
In response to the recent security incidents, Roku has taken action by resetting the passwords for all affected accounts and directly notifying the impacted customers about the latest breach. The company disclosed that in fewer than 400 instances, “malicious actors” used stored payment methods to exploit the compromised accounts by making unauthorized purchases of streaming service subscriptions and/or Roku hardware products. However, they did not gain access to any sensitive information, including any other payment information or full credit card numbers.
Roku has committed to refunding or reversing charges for the accounts that were compromised for illicit purposes.
Additionally, Roku has enabled two-factor authentication (2FA) for all Roku accounts, including those unaffected by the incidents. Henceforth, users will get a verification link attached to the email address when trying to log in to their Roku account online, and will then need to click on the link in the mail to gain access to their account.
The company said, “While the overall number of affected accounts represents a small fraction of Roku’s more than 80 million active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents.”
Roku has released a statement on its website that there is no evidence that its systems were compromised or Roku was the source of the account credentials used in either of the attacks. Instead, Roku said, the login credentials used in the hacks were stolen from another source, and the affected user might have used the same username and password elsewhere. This form of cyberattack is known as “credential stuffing.”
Furthermore, the company is urging its users to enhance their account security by creating strong, unique passwords, which should consist of a minimum of eight characters, including symbols, a mix of numbers, and both uppercase and lowercase letters. The streaming platform also advised customers to “remain vigilant” and be cautious of any suspicious communications that appear to originate from Roku. This includes requests to share usernames or passwords, update payment details, or click on dubious links.
The company said, “We sincerely regret that these incidents occurred and any disruption they may have caused. Your account security is a top priority, and we are committed to protecting your Roku account.”