Roku warns that 576,000 accounts have been hacked in new credential stuffing assaults after disclosing one other incident that compromised 15,000 accounts in early March.
The corporate stated the attackers used login info stolen from different on-line platforms to breach as many lively Roku accounts as doable in credential stuffing assaults.
In such assaults, the risk actors leverage automated instruments to aim thousands and thousands of logins utilizing an inventory of person/password pairs, with this system being notably efficient towards accounts whose homeowners have reused the identical login info throughout a number of platforms.
“After concluding our investigation of [the] first incident, we [..] continued to observe account exercise carefully [and] we recognized a second incident, which impacted roughly 576,000 extra accounts,” Roku stated on Friday.
“There isn’t any indication that Roku was the supply of the account credentials utilized in these assaults or that Roku’s methods have been compromised in both incident.”
“In lower than 400 instances, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku {hardware} merchandise utilizing the cost methodology saved in these accounts, however they didn’t achieve entry to any delicate info, together with full bank card numbers or different full cost info.”
As BleepingComputer reported in March, risk actors are utilizing credential stuffing assaults with Open Bullet 2 or SilverBullet cracking instruments to compromise Roku accounts, that are then offered for as little as 50 cents on unlawful marketplaces.
The sellers additionally present info on utilizing the stolen accounts to make fraudulent purchases, together with Roku streaming bins, sound bars, mild strips, and TVs.
Password resets and 2FA enabled by default
After discovering this second wave of credential stuffing assaults, Roku has reset the passwords for all impacted accounts and is notifying affected clients straight concerning the incident.
The corporate may also refund and reverse fees for accounts the place the attackers used the linked cost info to pay for Roku {hardware} merchandise and streaming service subscriptions.
For the reason that final incident, Roku has additionally added help for two-factor authentication (2FA) and has now enabled it by default for all buyer accounts, even for those who these current assaults haven’t impacted.
Clients are additionally suggested to decide on robust and distinctive passwords for his or her accounts and alert Roku’s buyer help in the event that they obtain requests to share their credentials, replace their cost particulars, or click on suspicious hyperlinks.
Final month, Roku disclosed one other data breach that impacted a further 15,363 clients of a complete of over 80 million lively customers after their accounts have been additionally used to make fraudulent purchases of streaming subscriptions and Roku {hardware}.
