Simply weeks after a safety hack uncovered greater than 15,000 Roku accounts, the corporate stated Friday {that a} second safety breach impacted greater than 576,000 accounts.
In an announcement on its web site, the corporate stated it discovered no proof that it was the supply of the account credentials utilized in both of the assaults or that Roku’s techniques had been compromised. As a substitute, the corporate stated, login credentials used within the hacks had been probably stolen from one other supply for which the affected customers could have used the identical username and password. This sort of cyberattack is named “credential stuffing.”
Roku stated in fewer than 400 instances, the “malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku {hardware} producing utilizing the cost retailer in these accounts, however they didn’t acquire entry to any delicate data, together with full bank card numbers or different full cost data.”
Jenny Kane / AP
The corporate stated it reset the passwords for all affected accounts and notified these prospects instantly concerning the incident. It’s refunding or reversing expenses within the accounts that purchases made by unauthorized actors.
As well as, the corporate additionally enabled two-factor authentication for all Roku accounts, even people who haven’t been impacted by both safety incident They stated account holders ought to be conscious that the subsequent time they log into the Roku account on-line, a verification hyperlink will likely be despatched to the related e mail.
“Whereas the general variety of affected accounts represents a small fraction of Roku’s greater than 80 (million) energetic accounts, we’re implementing a variety of controls and countermeasures to detect and deter future credential stuffing incidents,” the corporate stated.
Roku inspired customers to create a “sturdy, distinctive password” for his or her account and in addition suggested them to “stay vigilant,” being alert to any “suspicious communications showing to return from Roku, resembling requests to replace your cost particulars, share your username or password, or click on on suspicious hyperlinks.”
“We sincerely remorse that these incidents occurred and any disruption they could have brought on,” the corporate stated. “Your account safety is a high precedence, and we’re dedicated to defending your Roku account.”
That is the second Roku breach in current months. In March, Roku stated hackers accessed greater than 15,000 person accounts.
