Streaming TV company Roku says it is notifying more than a half-million customers about a data breach that may have affected their accounts.
In a notice published on Friday, a spokesperson for the company said the data breach involving 576,000 customer accounts is part of the same incident it warned about in March. Then, Roku said the damage involved around 15,000 user accounts.
Roku says it was not the source of the data breach, but realized something was amiss when internal systems “detected an increase in unusual account activity.” An investigation determined someone had access thousands of user accounts via credentials that were stolen from a third party.
The unusual account activity was part of a scheme known as “credential stuffing,” in which hackers go down a list of compromised usernames and passwords and try each one to see if they will log them into an account.
“We concluded at the time that no data security compromise occurred within our systems, and that Roku was not the source of the account credentials used in these attacks,” Roku said, referring to the investigation disclosed in March.
After notifying 15,000 customers last month, Roku said it became aware of a “second incident” involving around 576,000 more accounts.
Roku said attackers were able to use stolen passwords to access accounts and make unauthorized purchases. That situation happened in “less than 400 cases,” Roku said.
“While the overall number of affected accounts represents a small fraction of Roku’s more than 80 million active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents,” a company spokesperson said.
Roku said it was taking reactive measures to address the situation, which includes resetting the passwords of customers whose accounts were likely compromised. The company is also rolling out two-factor authentication (2FA) across all Roku accounts, whether they were part of the data breach or not. Two-factor authentication requires inputting a numeric code generated from an app or text message before allowing someone with a username and password access to an account, and is generally seen as an added safety step.
“We sincerely regret that these incidents occurred and any disruption they may have caused,” Roku said on Friday. “Your account security is a top priority, and we are committed to protecting your Roku account.”
The company said customers can take certain steps to secure their accounts as well, to include creating a “strong unique password” that makes it “harder for someone to gain unauthorized access” and to “be alert to any suspicious communications appearing to come from Roku, such as requests to update your payment details, share your username or password, or click on suspicious links.”
Anyone with questions about the Roku security incident is asked to call the company at 1-816-272-8106 or reach out by email at [email protected].