Pierluigi Paganini April 12, 2024

Roku announced that 576,000 accounts were compromised in a new wave of credential stuffing attacks.

Roku announced that 576,000 accounts were hacked in new credential stuffing attacks, threat actors used credentials stolen from third-party platforms.

“Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts to abuse permissions, siphoning out data, or both. 

Earlier this year, Roku detected unusual account activity and discovered that unauthorized actors accessed around 15,000 user accounts using login credentials obtained from a different source through “credential stuffing.”

Once the company concluded the investigation of this first security breach, they notified the impacted customers in early March. The company continued to monitor account activity and identified a second incident that impacted approximately 576,000 additional accounts. 

“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.” reads the press release published by the company. “In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.” 

The company announced the implementation of measures to prevent future incidents, including password resets for the affected accounts. Roku also plans to refund unauthorized purchases and is implementing two-factor authentication (2FA) for all accounts. Roku aims to simplify this process and offers support for users needing assistance.

The company has enabled two-factor authentication (2FA) by default for all customer accounts.

The company recommends customers use strong and unique passwords for their accounts and be vigilant for suspicious activities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)