Over half a million Roku subscribers are the victims of the latest cybersecurity attack
Roku offers streaming television through both subscription and advertisement plans. It is the leading distributor of streaming television in the U.S. with over 80 million users as of last year. Today, a blog post published by Roku says that some subscribers had their personal account data leaked after two separate incidents were investigated by Roku. The first took place earlier this year when the company discovered that unauthorized actors were able to access approximately 15,000 Roku accounts using passwords and usernames stolen from a source unrelated to Roku.
The cyberattack method used by the attackers is called "credential stuffing." With this attack, credentials obtained through data breaches on other services are used to break into accounts belonging to another service. What makes "credential stuffing" so effective is that too many people use the same username and password for different accounts on different platforms. Roku discovered that its systems were not the source of this data breach.
Roku hardware can be very expensive
No sooner had Roku wrapped up its investigation of the first incident than a second incident was discovered that impacted 576,000 Roku accounts. Once again, Roku says that there is no sign that it was the source of the account credentials used in either attack. Nor were Roku's systems compromised in bothj attacks. The second incident sounds like "credential stuffing" was employed again.
Roku said, "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials." Furthermore, Roku notes that in less than 400 cases a malicious attacker broke into a Roku subscriber's account and made an unauthorized purchase of a streaming service subscription and/or Roku hardware. In those 400 cases, the attackers still did not get access to important and sensitive customer data such as full credit card numbers and other payment information.
The company says that the number of affected accounts is a small percentage of the company's 80 million accounts (.0072%), but even so, it is resetting the passwords for all affected accounts and is notifying these customers about the situation. Roku is also refunding or reversing charges for the small number of accounts where Roku discovered that a streaming subscription service or Roku hardware was purchased using a payment method stored in these accounts. Again, Roku says that the malicious actors were unable to view sensitive user information and full credit card information.
Roku has enabled two-factor authentication (2FA) for all accounts. While it does add an extra step to the login process, Roku says that it has made it as simple as possible. The company also has some tips for Roku account holders:
Create a strong unique password for your Roku account. Use a mix of upper/lower case characters, numbers, and symbols. Your password should be comprised of at least eight characters.
Remain vigilant. Be alert to any communications that says it is coming from Roku asking you to update your payment details, share your username or password, or asks you to click on any links. If you're not certain about whether an email, tweet or phone call from Roku is legitimate, call customer service. Lastly, keep checking Roku's blog posts, and look for legit communications from the company. Review your account on Roku's website from time to time.
Roku says that it is committed to protecting your account.
Things that are NOT allowed: