Subscribe to the daily newsletter.

More than half a million accounts compromised in Roku data breach

Roku Manchester, courtesy Roku

Roku has revealed that 576k accounts have been impacted by a data breach.

The streaming platform, which has a UK base in Manchester, said that this new incident was discovered while investigating an earlier breach, which impacted 15k accounts.

In a statement it explained that earlier this year, its security monitoring systems detected an “increase in unusual activity” and found that “unauthorised actors” had accessed 15k Roku users accounts, with usernames and passwords “stolen from another source.” This source was unrelated to the streamer, it was via a method called “credential stuffing” which is a type of automated cyberattack where hackers use stolen login credentials from one platform and see if they’ll work on another – if they have used the same details. 

On this occasion it concluded that “no data security compromise occurred within our systems, and that Roku was not the source of the account credentials used in these attacks. “

After notifying customers in March, the company continued to monitor account activity and through this identified a second incident involving a much larger customer base – 576k.

“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident,” it stated.

“Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials. In less than 400 cases, malicious actors logged in and made unauthorised purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.”

Roku stated that it represented “a small fraction” of its 80m active accounts, but was implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents.

It’s reset the passwords for all affected accounts and is notifying those customers. Furthermore, it’s refunding or reversing charges if unauthorised purchases were made.

Two-factor authentication has also been enabled on all Roku accounts.

Related News