Roku confirms second major cyberattack — over 500,000 accounts thought to be at risk

News
By Sead Fadilpašić
published

Roku resets user passwords and sets up mandatory MFA

Roku remote next to iPhone with Roku logo on its screen
(Image credit: Shutterstock)

Top TV streaming service Roku has confirmed suffering a second major cyberattack, with this one affecting more than half a million users. 

Late last week, Roku said that unnamed threat actors engaged in a second wave of credential stuffing attack, during which they managed to compromise 576,000 accounts. 

In the first wave, roughly 15,000 accounts were breached.

Major breach

“After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts,” the company said in a breach notification. 

"There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident.”

Accessing accounts this way is always dangerous, as threat actors can obtain a vast database of valuable, personally identifiable information. 

However, in this incident, they did more than that, apparently: "In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information."

Credential stuffing is a type of attack in which hackers first obtain login credentials elsewhere (for example, on a dark web forum), and then try them on different services to see if they work. They often do, since many people use the same username/password combination across multiple services.

Roku said its servers were not the source of the data leak, and to tackle the issue, it reset the passwords for everyone involved, and set up mandatory multi-factor authentication (MFA). Even those accounts that were not compromised in this attack are now forced to use MFA.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.