Roku launches countermeasures after nearly 600K accounts were hacked

Roku said Friday it is resetting some passwords and implementing two-factor authentication for its 80 million-plus accounts following a hack that originated with about 15,000 Roku user accounts.

Roku took those measures after determining that "unauthorized actors" had accessed those accounts using login credentials stolen from another source via a method called "credential stuffing" – an automated cyberattack in which stolen usernames and passwords from one platform are used to access the accounts of other platforms.

"We concluded at the time that no data security compromise occurred within our systems, and that Roku was not the source of the account credentials used in these attacks," Roku explained in this post about the incident.

After concluding its investigation on the initial incident, Roku said it notified affected customers in early March and continued to monitor the situation. Amid that monitoring, Roku said it identified a second incident that impacted about 576,000 additional Roku accounts, and determined that it was likely that the login credentials used for that round were taken from another source.

Few hacked accounts used to make purchases

Roku also found that, in less than 400 cases, the hackers who logged in with purloined credentials used them to make unauthorized purchases of streaming service subscriptions and Roku hardware products using payment methods stored in those accounts. Roku also stressed that the hackers did not gain access to any "sensitive information, including full credit card numbers or other full payment information."

In addition to resetting passwords for all affected accounts and enlisting two-factor authentication for all accounts, Roku is also refunding or reversing charges for the small number of accounts that were used to make unauthorized purchases.

Roku shares were down $1.69 (-2.74%) to $60.26 each in mid-day trading Friday.

Roku is far from alone in being the target of cybercriminals in recent months. Others that have dealt with breaches include AT&T, Comcast, T-Mobile, Lumen and Dish (now part of EchoStar).