Roku, the streaming technology company, just reported on a security issue concerning unauthorized access to some user accounts.
Earlier in the year, Roku’s security systems identified abnormal activity suggesting unauthorized access to approximately 15,000 user accounts via credential stuffing. This type of attack involves using stolen login details from one service to access accounts on other services, exploiting users’ tendencies to reuse passwords across multiple platforms. Roku clarified that their systems had not been compromised and the credentials used were obtained from sources outside of Roku. Roku contacted the affected customers in early March after their initial investigation and continued to monitor for suspicious account activity.
A subsequent incident was just discovered, affecting around 576,000 additional accounts. Again, Roku’s systems were not the source of the stolen credentials. In fewer than 400 instances, unauthorized purchases were made, but no sensitive information such as full credit card numbers was accessed.
The way an attack like this works is pretty straightforward. If you reuse passwords for multiple services, and one of those services is hacked, then your password is put into a database of usernames and passwords by the bad guys. They’ll then take this password database and use it against other services to see if they can login. In this case, we don’t know where the original usernames / passwords are from. It’s safe to say that using the same usernames and passwords on multiple services is a bad idea.
In response to these incidents, Roku has reset passwords for the affected accounts and is reversing any unauthorized charges. They have also introduced two-factor authentication (2FA) for all Roku accounts to enhance security. This new measure requires users to verify their identity via a link sent to their associated email address upon attempting to log in.
Roku advises customers to create strong, unique passwords and remain vigilant for any suspicious communications that may appear to be from Roku. Users are encouraged to stay informed by checking their email and Roku account regularly. For further assistance or information regarding account security, customers can visit Roku’s Customer Support site.
For more information about this incident, check out Roku’s post about it here.