Streaming service Roku has been hit by its second cyberattack this year, with 576,000 user accounts compromised.
Last month, the company detected the breach of more than 15,000 user accounts through credential stuffing attacks. These used passwords stolen from previous attacks, taking advantage of the fact that many people reuse passwords from one site to another.
However, Roku has now identified a second incident, which affected an additional 576,000 accounts.
“It is likely that the login credentials used in these attacks were taken from another source, such as another online account, where the affected users may have used the same credentials,” the company wrote in a statement.
“In fewer than 400 cases, malicious actors logged in and made unauthorized purchases of subscriptions to streaming services and Roku hardware products using the payment method stored in these accounts, but did not gain access to any sensitive information, including phone numbers. complete credit card or other payment information.”
Roku says it has reset passwords for all affected accounts and is communicating directly with those customers. He is also refunding customers who lost money due to unauthorized purchases.
The firm recommends that customers create a unique, secure password for their Roku accounts and be on the lookout for suspicious communications that appear to come from Roku, such as requests to update payment details, share your username or password, or click suspicious links.
The firm has enabled two-factor authentication (2FA) for all 80 million Roku accounts, including those that were not affected by these incidents.
“While 2FA can be inconvenient, a credential stuffing attack on a Roku account today could mean more serious utility accounts, bank accounts, or other compromises in the future,” said Jamie Boote, associate principal security consultant at Synopsys. Software Integrity Group.
“While the actions an attacker could take after accessing a Roku account could be limited in terms of not being able to manage Roku devices from different networks, obtain credit card information, or even change channels, confirming a name combination reused username and password as valid means that attackers will try to compromise other accounts with the same credentials.”
Boote also acknowledged that it is not impossible to limit the damage or number of attacks, while noting that credential stuffing attacks may be more difficult to block when authentication attempts are launched by distributed botnets.
“In cases where there are higher volumes of authentication attempts, or login attempts from different geographic regions, those suspicious actions should be flagged and additional scrutiny applied,” he says.
According investigation According to security firm Okta, nearly a quarter of all login attempts last year met credential stuffing criteria. Meanwhile, analysis of Verizon in 2023 found that about half of all data breaches involved stolen credentials.