Roku hit by second ‘credential stuffing’ attack

Source: Roku

Connected TV player Roku has said that it has been subject to a second ‘credential stuffing’ attack that impacted about 576,000 user accounts.

The latest attack follows one earlier this year where unauthorised actors had accessed about 15,000 Roku user accounts using user names and passwoRds stolen from another source through ‘credential suttffiing’. This isa type of cyberattack involving the use of credentials taken from one platform and used to access other platforms.

The credential stuffing attack relies on the habit of people to use the same usernames and passwords across multiple services.

After the initial attack Roku began to monitor account activity closely, leading it, it said to identify the second incident.

Roku said that malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in just under 400 accounts as a result of the attack.

However, it said that the attackers did not gain access to any sensitive information, including full credit card numbers or other full payment information. 

The company said it had reset the passwords for all affected accounts and are notifying those customers directly about this incident.

It has committed to refund or revers charges for the accounts where it has determined that unauthorized actors made purchases of streaming service subscriptions or Roku hardware products.

Roku hyas also introduced two-factor authentication for all Roku accounts, meaning users will have to take an extra step to log in. However, it said it had “worked hard to make it as simple as possible” for users to access the service.