Roku says it discovered another cyberattack on Friday that affected 576,000 users. This is the second breach affecting the company since March.
Roku tells attackers used account holders’ login information, a technique called credential stuffing, to access the streaming service and payment methods of certain users. The hackers were then able to use partial credit card numbers from “approximately 400 cases” to make unauthorized purchases of subscriptions to streaming services and Roku devices. But the company said the hackers did not obtain sensitive information such as full credit card numbers and addresses.
The hackers used a method called credential stuffing, in which malicious actors collect stolen usernames and passwords and test those credentials across different services. Roku says it’s possible that third-party sources provided the login information. Hackers used the same method in March when 15,000 Roku user accounts were compromised and obtained credit card information.
Roku says it has reset the passwords of the affected accounts. It will refund or waive fees for all purchases made by the hackers for the small number of users whose payment methods were used.
The company also enabled two-factor authentication for all 80 million active Roku accounts, even for users whose information was not part of the breach. It will send users a verification link to set their two-factor authentication. According to the company, requiring additional login steps will help its security team “detect and deter future credential stuffing incidents.”
As always, even if your account was not affected by the hack, it never hurts to check Have I been pwned? and to enable more login security measures.