Roku admits further subscriber data breach
APRIL 15, 2024 12.50 EUROPE/LONDON BY JULIAN CLOVER

Roku is to introduce two factor authentication to its login process after it emerged a second security breach had resulted in 576,000 additional accounts being compromised.

It follows the admission earlier this year that 15,000 accounts had been accessed without the permission of the account holder after data containing the details was stolen from a third party.

Roku says this type of data breach, known as ‘credential stuffing’ is a type of automated cyberattack where fraudsters use stolen usernames and passwords from one platform and attempt to log in to accounts on other platforms. The method exploits the practice of individuals reusing the same login credentials across multiple services.

In a statement, Roku said there was no evidence that its own servers had been accessed. “After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts.

“In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.”

Roku has stressed the number of affected accounts represents a small fraction of its 80 million accounts.