Streaming TV service provider Roku activated two-factor authentication (2FA) for all its 80 million users after hackers compromised 576,000 accounts in a credential stuffing attack.
It is the second credential stuffing incident the company has disclosed this year, although it said “sensitive” customer information — including full credit card numbers — was not stolen in either attack.
The first breach, affecting more than 15,000 accounts, was disclosed last month.
Credential-stuffing attacks involve hackers attempting to log into services using acquired lists of usernames and passwords unrelated to the target. It can be an effective way to breach a significant number of accounts on popular consumer service portals given many subscribers use the same username and password combination to access multiple services.
In an April 15 blog post, Roku said it identified the second attack — impacting about 576,000 additional accounts — as a result of ongoing security monitoring following the first breach.
“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident,” the company said.
“Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.”
In “less than 400 cases” the hackers used the compromised credentials to buy streaming services and Roku hardware products using the payment method linked to compromised accounts, the company said. But the threat actors did not have access to account holders’ full credit card numbers or “sensitive user information.”
Roku said it reset the passwords on all breached accounts and implemented 2FA for all users, regardless of whether they were impacted by the two attacks. This meant all users would need to verify their email address next time they logged into their account.
Roku customers forced to agree with new terms of service
The company upset customers last month when it updated the dispute resolution section of its terms of service, forcing them to agree to the new terms before they could continue using their Roku device.
The new terms mandate that disputes must be resolved through arbitration, effectively ruling out the possibility of bringing a lawsuit against the company.
Some customers speculated at the time that the change was likely a preemptive move to avoid legal blowback related to some pending bad news, and the revelation of the second credential stuffing attack renewed those suspicions.
However, Roku previously claimed the change to its terms was unrelated to the breach it revealed last month.
It said it would refund customers whose accounts and credit cards had been used by the hackers to purchase goods or services.
Another streaming TV service provider, Plex, suffered a breach in 2022 where hackers stole 15 million emails, usernames and encrypted passwords.