Streaming platform Roku announces that a new data breach has impacted over half a million accounts in the United States.
While investigating last month’s security breach, Roku discovered that 576,000 accounts have been compromised, surpassing the estimated 15,000 compromised accounts. “After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information,” the company said in a statement. “Through this monitoring, we identified a second incident, which impacted approximately 576,000 additional accounts.”
The company, which has more than 80 million active accounts, revealed the breach in filings with the state attorney generals of Maine and California. The streaming platform stated in the filing that between Dec. 28, 2023, and Feb. 21, 2024, 15,363 accounts were compromised.
“Roku’s security team recently detected suspicious activity that indicated a limited number of Roku accounts were accessed by unauthorized actors using login credentials obtained from third-party sources (e.g., through data breaches of third-party services that are not related to Roku),” a company spokesperson told The Hollywood Reporter. “In response, we took immediate steps to secure these accounts and are notifying affected customers. Roku is committed to maintaining our customers’ privacy and security, and we take this incident very seriously.”
Bleeping Computer, which first reported the breach, stated that the hacked accounts were used to make fraudulent purchases of hardware and streaming subscriptions. However, the threat seemed minimal as the actors were selling stolen accounts for as little as $.50 per account.
While Roku is predominantly a streaming platform, the company offers streaming sticks and boxes, home automation kits, sound bars, light strips, and Roku TVs that allow users to access services like Netflix, Hulu, and Amazon Prime Video.
Threat actors collect credentials exposed in data breaches and attempt to use them to log in to other sites, employing a technique called “credential stuffing.” Once threat actors were in an account, they would change information, including passwords, email addresses, and shipping addresses. Once the threat actors lock out the users of the account, they can make purchases using the saved credit card information without tipping off the legitimate account holder about the sale through email confirmation.
“In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information,” the Roku statement continued.
Roku announced that it has reset the passwords for the impacted accounts and alerted account holders about the breach. In addition to these actions, Roku will also be turning on two-factor authentication for all accounts to improve security on the streaming platform.
If the breach affected your account, visit “my.roku.com” and click on ‘Forgot password?’ to receive a reset link via email. Upon accessing your account, review recent activity on the Roku dashboard and connected devices to ensure you have approved everything.
