Streaming giant Roku has disclosed a second security incident within two months, revealing that hackers successfully breached more than half a million Roku user accounts.
According to a statement released on Friday, the company confirmed that approximately 576,000 user accounts were accessed using a technique known as credential stuffing. This method involves malicious actors using usernames and passwords stolen from other data breaches and attempting to reuse them on other platforms.
Roku noted that in less than 400 instances, the hackers exploited the compromised accounts to make unauthorized purchases of Roku hardware and streaming subscriptions using payment information stored within the accounts. The company has since refunded affected customers for these fraudulent transactions.
Despite the breach, Roku assured its users that sensitive information and complete credit card details were not accessed by the hackers.
The discovery of this second incident occurred while Roku was in the process of notifying around 15,000 users about a previous credential-stuffing attack that had compromised their accounts.
In response to these security challenges, Roku has implemented two-factor authentication for its users. This additional security measure helps prevent credential stuffing attacks by requiring users to provide a time-sensitive code along with their username and password during login attempts. By introducing this extra layer of security, Roku aims to enhance the protection of user accounts against unauthorized access.