Roku disclosed to its customers Friday (April 12) that 591,000 accounts were impacted by two separate cyberattacks.
In less than 400 of these cases, hackers logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, the company said in a Friday (April 12) blog post.
The hackers did not gain access to full credit card numbers, other full payment information or any other sensitive information, according to the post.
In the first incident, which happened earlier in 2024, Roku determined that hackers accessed 15,000 accounts using usernames and passwords stolen from a source unrelated to Roku, the post said.
The attackers used “credential stuffing,” in which fraudsters use stolen login credentials from one platform to attempt to log in to accounts on other platforms, thereby exploiting some users’ habit of using the same username and password on multiple platforms, per the post.
Roku notified the affected customers of this incident in early March, according to the post.
The company later discovered a second attack that impacted another 576,000 accounts, per the post.
“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident,” the company said in the post. “Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.”
In response to these incidents, Roku reset the passwords for all affected accounts, according to the post. It is also notifying customers about the second incident and refunding or reversing charges for those with unauthorized charges made by the hackers.
To deter future credential stuffing attacks, the company has enabled two-factor authentication for all Roku accounts — including those that were not affected by these incidents, the post said.
Roku has also advised its customers to create a strong, unique password for their account; be wary of any suspicious communications that appear to come from the company; and stay informed about their account by monitoring the company’s blog posts, support pages, emails and any changes to their own account, per the post.
In an earlier credential stuffing attack, a 19-year-old man from Wisconsin pleaded guilty in November to conspiracy to commit computer intrusion after using that type of attack to hack user accounts at a fantasy sports and betting site.
That attack enabled access to about 60,000 accounts on the website and resulted in the theft of approximately $600,000 from around 1,600 victim accounts.