Streaming TV service provider Roku activated two-factor authentication (2FA) for all its 80 million users after hackers compromised 576,000 accounts in a credential stuffing attack.It is the second credential stuffing incident the company has disclosed this year, although it said “sensitive” customer information — including full credit card numbers — was not stolen in either attack.The first breach, affecting more than 15,000 accounts, was disclosed last month.Credential-stuffing attacks involve hackers attempting to log into services using acquired lists of usernames and passwords unrelated to the target. It can be an effective way to breach a significant number of accounts on popular consumer service portals given many subscribers use the same username and password combination to access multiple services. In an April 15 blog post, Roku said it identified the second attack — impacting about 576,000 additional accounts — as a result of ongoing security monitoring following the first breach.“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident,” the company said.“Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.”In “less than 400 cases” the hackers used the compromised credentials to buy streaming services and Roku hardware products using the payment method linked to compromised accounts, the company said. But the threat actors did not have access to account holders’ full credit card numbers or “sensitive user information.”Roku said it reset the passwords on all breached accounts and implemented 2FA for all users, regardless of whether they were impacted by the two attacks. This meant all users would need to verify their email address next time they logged into their account.
Identity, Data Security, Privacy
Roku activates 2FA for 80M users after breach of 576K accounts

(Adobe Stock)
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds