Roku confirms over half a million accounts hacked in second credential stuffing incident
In some cases, hackers were able to make purchases after breaching user accounts.
What you need to know
- Approximately 576,000 Roku accounts were accessed through a credential stuffing attack, the company confirmed in an April 12 statement.
- The latest attack comes a month after about 15,000 Roku accounts were breached through the same method of attack.
- While the hackers couldn't access "sensitive user information or full credit card information," they successfully made purchases within Roku using fewer than 400 breached accounts.
Roku suffered a limited security incident last month that left roughly 15,000 user accounts vulnerable, and now, another 576,000 have been impacted by a second attack. The company announced that over half a million accounts were fraudulently accessed through credential stuffing in an April 12 statement. While hackers were unable to access sensitive information, they were able to make purchases using a very limited number of Roku accounts.
Credential stuffing is a method of attack in which hackers use previously leaked login credentials on popular sites. That's why cybersecurity experts warn against using the same password on two different websites. If the password to one account is leaked in a hack, bad actors can try to use that same username and password combination to log in to another. Roku says that since this was a credential-stuffing attack, it was not the source of the login credentials used to breach the 576,000 accounts.
"There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident," the company explained in the statement. "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials."
Roku says that the hackers did not access sensitive information or full credit card information. However, in less than 400 incidents, the bad actors were able to purchase Roku hardware or subscribe to streaming services. In those cases, Roku refunds the users or reverses the transactions.
Roku will notify customers directly if they've been impacted by either account breach. Moving forward, the company will make two-factor authentication mandatory on all accounts to try to nix credential stuffing. After logging into Roku next, users will be prompted to verify their login with a link sent via email.
Since the company has 80 million active users, this breach is fairly small in the grand scheme of things. Still, if you have a Roku account, it's worth checking to see if you were affected. However, Roku automatically resets account passwords for affected users. Even if your account wasn't affected, be sure to practice good online security habits and use different passwords for each account you create. To make it less of a hassle, you can start using one of the best password managers.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
Brady is a tech journalist for Android Central, with a focus on news, phones, tablets, audio, wearables, and software. He has spent the last three years reporting and commenting on all things related to consumer technology for various publications. Brady graduated from St. John's University with a bachelor's degree in journalism. His work has been published in XDA, Android Police, Tech Advisor, iMore, Screen Rant, and Android Headlines. When he isn't experimenting with the latest tech, you can find Brady running or watching Big East basketball.