LeakList
Submit Leak
Roku

Breach Report for

April 2024 Roku Breach

🌍
GLOBAL
591K accounts records breached
In early 2024, Roku, the streaming giant with over 80 million active accounts, experienced two significant security breaches through credential stuffing attacks, where hackers used login credentials stolen from other platforms to gain unauthorized access to user accounts. The first breach, discovered and disclosed in March 2024, affected approximately 15,000 accounts. Following this incident, Roku's continued security monitoring revealed a second, larger breach impacting around 576,000 additional accounts, bringing the total number of compromised accounts to approximately 591,000. In both incidents, the attackers employed credential stuffing, a technique that exploits users' habit of reusing the same passwords across multiple services. Roku emphasized that their own systems were not compromised, and the login credentials were likely obtained from breaches of other platforms. The impact of these breaches was relatively contained. In fewer than 400 cases, the attackers managed to make unauthorized purchases of streaming service subscriptions and Roku hardware products using stored payment methods. Importantly, Roku confirmed that no sensitive information, including full credit card numbers or other complete payment information, was accessed during these incidents. In response to these security breaches, Roku has taken several significant measures: 1. Reset passwords for all affected accounts 2. Implemented mandatory two-factor authentication (2FA) for all 80 million user accounts 3. Notified affected customers directly 4. Refunded or reversed all unauthorized charges 5. Implemented additional controls and countermeasures to detect and prevent future credential stuffing attacks The new 2FA system requires users to verify their identity through email verification links when logging in, adding an extra layer of security to all accounts. While Roku's response has been comprehensive, some security experts have questioned why the company's monitoring systems didn't detect and prevent the second, larger breach more quickly after the first incident. The company has faced some criticism for initially appearing to blame users for poor password hygiene rather than implementing stronger security measures after the first breach. For users concerned about their account security, Roku recommends: - Creating strong, unique passwords of at least eight characters - Remaining vigilant against suspicious communications - Regularly reviewing account charges - Being cautious of potential phishing attempts - Contacting Roku Customer Support when in doubt about any communications This incident serves as a reminder of the importance of using unique passwords for different services and enabling two-factor authentication whenever possible to prevent credential stuffing attacks.

Official Statement

"Earlier this year, Roku’s security monitoring systems detected an increase in unusual account activity. After a thorough investigation, we determined that unauthorized actors had accessed about 15,000 Roku user accounts using login credentials (i.e. usernames and passwords) stolen from another source unrelated to Roku through a method known as “credential stuffing.” ... After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts. ... There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials. In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information. ... While the overall number of affected accounts represents a small fraction of Roku’s more than 80M active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents. First, we have reset the passwords for all affected accounts and are notifying those customers directly about this incident. We also are refunding or reversing charges for the small number of accounts where we’ve determined that unauthorized actors made purchases of streaming service subscriptions or Roku hardware products using a payment method stored in these accounts. We also want to reassure customers that these malicious actors were not able to access sensitive user information or full credit card information. As a part of our ongoing commitment to information security, we have enabled two-factor authentication (2FA) for all Roku accounts, even for those that have not been impacted by these recent incidents. As a result, the next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account..."

Read full statement →

Related News

Breach Summary

Status
âś… Confirmed
Criticality
Critical
Breached Data
  • Login Credentials
Total Breaches
1 time
Sponsored: Cybersecurity Solutions
Yubikey 5 NFC for more security.

LeakList. All rights reserved.