UPDATE: After reports of over 15,000 Roku accounts being compromised surfaced last month, Roku has now confirmed a second attack has affected 576,000 accounts in a large-scale security breach.
The company says that all affected accounts have now had their passwords reset, and that up to 400 users have seen fraudulent charges to their credit cards. Roku has gone on to state that they are refunding any illicit charges made to users due to the hack.
“While the overall number of affected accounts represents a small fraction of Roku’s more than 80 million active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents,” Roku told Variety.
In the meantime, Roku users are urged to create strong passwords and “remain vigilant” and look out for any “suspicious communications appearing to come from Roku.”
The following was originally published March 21, 2024:
Roku has alerted users to a data breach that has affected over 15,000 accounts. The company states that a credential stuffing attack compromised the accounts, while BleepingComputer reports that the affected accounts were then sold to threat actors, which would then have access to the account’s stores credit card accounts.
“A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers,” reports the website. “Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents.”
New malware botnet found infecting Android TV boxes
Roku users are urged to check their accounts are in working order and do not contain any fraudulent charges or purchases. For their part, the company says they have “cancel[ed] unauthorized subscriptions and refund[ed] any unauthorized charges.” Roku states that they have reset the password for any accounts suspected to be affected by the breach, and that affected users must use the “Forgot password?” option on Roku’s website to recover their account.
