Roku issues warning over massive customer account breach

The Roku logo on a smartphone, resting on a laptop keyboard with an illuminated screen reflecting red, green, and blue light.
(Image credit: Getty Images)

Streaming service Roku has been hit by its second cyber attack this year, with 576,000 user accounts compromised.

Last month, the company detected the breach of more than 15,000 user accounts through credential stuffing attacks. These used stolen passwords from previous attacks, exploiting the fact that many people reuse passwords from site to site.

However, Roku has now identified a second incident, which hit around 576,000 additional accounts. 

"It is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials," the company wrote in a statement

"In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information."

Roku says it's reset the passwords for all affected accounts and is contacting those customers directly. It's also refunding the customers who lost money to unauthorized purchases. 

The firm recommends that customers create a strong, unique password for their Roku accounts and keep their eyes peeled for suspicious communications appearing to come from Roku, such as requests to update payment details, share their username or password, or click on suspicious links. 

The firm has enabled two-factor authentication (2FA) for all 80 million Roku accounts, including those unaffected by these incidents. 

"While 2FA may be inconvenient, a credential stuffing attack on a Roku account today could mean compromised utility accounts, banking accounts, or other more serious compromises in the future," commented Jamie Boote, associate principal security consultant at the Synopsys Software Integrity Group.

"While the actions that an attacker could take after accessing a Roku account could be limited in terms of not being able to manage Roku devices from different networks, gaining credit card information, or even changing the channel, confirming a reused username and password combination as valid means that attackers will attempt to compromise other accounts with the same credentials."


Boote also acknowledged that it’s not impossible to limit the damage or number of attacks, while noting that credential stuffing attacks can be trickier to block when authentication attempts are launched by distributed botnets.  

"In instances where there are higher volumes of authentication attempts, or log in attempts from different geographical regions, those suspicious actions should be flagged and extra scrutiny should be applied," he says. 

According to research from security firm Okta, nearly a quarter of all log in attempts last year met the criteria for credential stuffing. Meanwhile, analysis from Verizon in 2023 found that approximately half of all data breaches involved stolen credentials. 

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.