By Hannah Nightingale – The Postmillennial
More than half a million Roku accounts were recently hacked in the second security incident in two months, the company announced on Friday.
The streaming device giant said in a statement that 576,000 accounts were part of the second incident.
The company said “Roku’s security monitoring systems detected an increase in unusual account activity” earlier this year, and after an investigation, “we determined that unauthorized actors had accessed about 15,000 Roku user accounts using login credentials (i.e. usernames and passwords) stolen from another source unrelated to Roku through a method known as ‘credential stuffing.'”
The company explained that “credential stuffing” is when hackers use stolen usernames and passwords from one platform, and attempt to log in elsewhere.
After the conclusion of the first investigation, the company notified customers in early March and continued monitoring account activity, through which a second incident was discovered.
“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials,” the company wrote.
“In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.”
The company has reset the passwords for all affected accounts, and has refunded or reversed charges for those accounts on which unauthorized payments were made. Two-factor authentication has also been enacted for all Roku accounts.
“We also want to reassure customers that these malicious actors were not able to access sensitive user information or full credit card information.”
The company said that this incident affected “a small fraction of Roku’s more than 80M active accounts.”