Roku warns that 576,000 accounts have been hacked in new credential stuffing assaults after disclosing one other incident that compromised 15,000 accounts in early March.
The corporate mentioned the attackers used login info stolen from different on-line platforms to breach as many lively Roku accounts as attainable in credential stuffing assaults.
In such assaults, the risk actors leverage automated instruments to try hundreds of thousands of logins utilizing an inventory of consumer/password pairs, with this method being notably efficient in opposition to accounts whose house owners have reused the identical login info throughout a number of platforms.
“After concluding our investigation of [the] first incident, we [..] continued to watch account exercise carefully [and] we recognized a second incident, which impacted roughly 576,000 extra accounts,” Roku said on Friday.
“There is no such thing as a indication that Roku was the supply of the account credentials utilized in these assaults or that Roku’s programs have been compromised in both incident.”
“In lower than 400 circumstances, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku {hardware} merchandise utilizing the cost technique saved in these accounts, however they didn’t acquire entry to any delicate info, together with full bank card numbers or different full cost info.”
As BleepingComputer reported in March, risk actors are utilizing credential stuffing assaults with Open Bullet 2 or SilverBullet cracking instruments to compromise Roku accounts, that are then bought for as little as 50 cents on unlawful marketplaces.
The sellers additionally present info on utilizing the stolen accounts to make fraudulent purchases, together with Roku streaming bins, sound bars, gentle strips, and TVs.
Password resets and 2FA enabled by default
After discovering this second wave of credential stuffing assaults, Roku has reset the passwords for all impacted accounts and is notifying affected clients immediately in regards to the incident.
The corporate will even refund and reverse fees for accounts the place the attackers used the linked cost info to pay for Roku {hardware} merchandise and streaming service subscriptions.
Because the final incident, Roku has additionally added help for two-factor authentication (2FA) and has now enabled it by default for all buyer accounts, even for people who these current assaults haven’t impacted.
Prospects are additionally suggested to decide on robust and distinctive passwords for his or her accounts and alert Roku’s buyer help in the event that they obtain requests to share their credentials, replace their cost particulars, or click on suspicious hyperlinks.
Final month, Roku disclosed another data breach that impacted a further 15,363 clients of a complete of over 80 million lively customers after their accounts have been additionally used to make fraudulent purchases of streaming subscriptions and Roku {hardware}.
