Roku has suffered another data breach

Monitoring in the aftermath of an earlier security breach at Roku has unconvered a second incident that affected roughly 576,000 accounts, the company has revealed. While it’s believed that internal systems weren’t compromised, and that attackers never gained access to full payment information, the accounts were breached automatically using logins stolen from other platforms.

The method is known as credential stuffing, made possible when people re-use the same usernames and passwords across multiple apps or websites.

Two-factor authentication for everyone

Just under 400 people had their accounts used to fraudulently buy subscriptions or streaming devices, Roku says. In response to the latest attacks, the company has reset the passwords for everyone exposed in the incident, and switched on two-factor authentication (2FA) for all users regardless of whether they were involved. Customers will get a verification link via email the next time they try to sign into their Roku accounts, and will need to click or tap on that link to continue the sign-in process. Victims of fraud are getting their charges reversed or refunded.

In the prior breach, which occurred between late December and late February, 15,363 customer accounts were violated using the same automatic credential stuffing method. A select few people had their accounts used to buy subscriptions to services like Max and Peacock, and the attackers also tried to resell logins on a stolen account marketplace for as little as 50 cents. It’s unknown if any of the accounts in the latest incident have been put up for sale, but the info should already be obsolete as long as people follow through with Roku’s reset prompt. It’s important to complete the reset as soon as possible to shut out any further fraud.

Both incidents are minor compared to some other security breaches, but could undermine confidence in Roku, which has typically been seen as a safe platform. The company is urging users to create unique passwords with at least eight characters, mixing in numbers, symbols, and both lower- and upper-case letters. It’s also warning about phishing attempts — that is, criminals pretending to be Roku via email and asking for sensitive info such as payment or login credentials, or else urging people to click on a link they weren’t expecting (verification links notwithstanding). The real company doesn’t solicit info that way, and phishing attempts can often be spotted by erroneous details, such as strange graphics or an email coming from an address other than roku.com.

You should get a notification from Roku if your account was exposed. If you haven’t received a prompt to reset your password, you can do it yourself anyway using the following steps:

1. On a phone, computer, or tablet, open up your web browser of choice and go to my.roku.com.
2. On the login page, select Forgot password?
3. Enter your email address.
4. Follow the reset link sent to your email and enter your new password.