Roku warns that 576,000 accounts have been hacked in new credential stuffing assaults after disclosing one other incident that compromised 15,000 accounts in early March.
The corporate mentioned the attackers used login info stolen from different on-line platforms to breach as many lively Roku accounts as potential in credential stuffing assaults.
In such assaults, the menace actors leverage automated instruments to try hundreds of thousands of logins utilizing a listing of person/password pairs, with this method being notably efficient towards accounts whose homeowners have reused the identical login info throughout a number of platforms.
“After concluding our investigation of [the] first incident, we [..] continued to monitor account activity closely [and] we identified a second incident, which impacted approximately 576,000 additional accounts,” Roku mentioned on Friday.
“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident.”
“In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.”
As BleepingComputer reported in March, menace actors are utilizing credential stuffing assaults with Open Bullet 2 or SilverBullet cracking instruments to compromise Roku accounts, that are then offered for as little as 50 cents on unlawful marketplaces.
The sellers additionally present info on utilizing the stolen accounts to make fraudulent purchases, together with Roku streaming containers, sound bars, mild strips, and TVs.
Password resets and 2FA enabled by default
After discovering this second wave of credential stuffing assaults, Roku has reset the passwords for all impacted accounts and is notifying affected prospects instantly concerning the incident.
The corporate can even refund and reverse expenses for accounts the place the attackers used the linked fee info to pay for Roku {hardware} merchandise and streaming service subscriptions.
For the reason that final incident, Roku has additionally added assist for two-factor authentication (2FA) and has now enabled it by default for all buyer accounts, even for those who these current assaults haven’t impacted.
Clients are additionally suggested to decide on sturdy and distinctive passwords for his or her accounts and alert Roku’s buyer assist in the event that they obtain requests to share their credentials, replace their fee particulars, or click on suspicious hyperlinks.
Final month, Roku disclosed one other information breach that impacted an extra 15,363 prospects of a complete of over 80 million lively customers after their accounts have been additionally used to make fraudulent purchases of streaming subscriptions and Roku {hardware}.
