Following a hack that exposed more than 15,000 Roku accounts last month, the company said Friday it discovered a second security incident that affected 576,000 additional user accounts.
Roku said it reset the passwords for all affected accounts and are notifying those customers directly about the latest incident. According to the company, in fewer than 400 cases, “malicious actors” made unauthorized purchases of streaming service subscriptions and/or Roku hardware products using the payment method stored in these accounts. Roku said it refunding or reversing charges for accounts that were compromised and used to make illicit purchases.
In addition, Roku said, it has enabled two-factor authentication (2FA) for all Roku accounts, even for those that were not been affected by the recent incidents. As a result, the next time users attempt to log in to their Roku account online, a verification link will be sent to the email address associated with the account; Roku users will then need to click the link in the email before they can access the account.
Roku said the hackers did not gain access to any sensitive personal information, including full credit card numbers or other payment information.
Roku said it found no evidence that it was the source of the account credentials used in either of the attacks or that Roku’s systems were compromised in either incident. According to the company, it’s likely that login credentials used in the hacks were stolen from another source (i.e. other online accounts) for which the affected users may have used the same username and password — a cyberattack known as “credential stuffing.”
“While the overall number of affected accounts represents a small fraction of Roku’s more than 80 million active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents,” the company said.
Roku encouraged users to create a “strong, unique password” for their account (using a mix of at least eight characters, including numbers, symbols and lowercase and uppercase letters). It also advised customers to “remain vigilant,” being alert to any “suspicious communications appearing to come from Roku, such as requests to update your payment details, share your username or password, or click on suspicious links.” The company also directed users to an article on its customer-support site, “How to keep your Roku account secure.”
“[W]e sincerely regret that these incidents occurred and any disruption they may have caused,” the company said. “Your account security is a top priority, and we are committed to protecting your Roku account.”