Roku says it experienced second 'credential stuffing' incident

Roku said account security was a 'top priority' for the company

Bad actors entered more than half a million Roku accounts without permission in another cyber incident.

The video streaming company said Friday the latest "credential stuffing" attack of 576,000 accounts came to light in the midst of its efforts to "monitor account activity closely." Those had been prompted by a prior breach. 

Ticker Security Last Change Change %
ROKU ROKU INC. 52.53 -1.44 -2.67%

The first incident saw bad actors illegally getting into 15,300 accounts through that tactic. Roku let those users know about that incident in March.

ROKU HACKERS BREACH 15,000 ACCOUNTS, USED DATA TO SUBSCRIBE TO STREAMING SERVICES

Sensitive personal data and full payment information did not get exposed in either incident, according to the company.

Roku remote in front of TV

Roku says the latest wave of job cuts will impact 6% of its workforce. (Tiffany Hagler-Geard/Bloomberg via Getty Images / Getty Images)

"There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident," the company said Friday. "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials."

Roku Inc

The bad actors did take advantage of stored payment information in less than 400 instances, buying streaming service subscriptions and hardware. Such accounts will get refunds, the streaming company said.

Roku headquarters sign is seen in San Jose, California

 Roku's company logo is seen in front of Roku headquarters on Nov. 18, 2022 in San Jose, California.  (Justin Sullivan/Getty Images / Getty Images)

Roku said account security was a "top priority" for the company.

COMCAST SAYS XFINITY CYBERSECURITY INCIDENT MAY HAVE COMPROMISED CUSTOMER DATA

It is "implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents." Those efforts included password resets for impacted users and two-factor authentication for every customer that uses its service, according to Roku.

The pair of breaches hit a "small fraction" of its total users, it said. In the fourth quarter, it reported 80 million active accounts collectively responsible for 29.1 billion streaming hours.

The Roku app on a television in Hastings-On-Hudson, New York, US, on Tuesday, July 25, 2023. Roku Inc. is scheduled to release earnings figures on July 27. (Tiffany Hagler-Geard/Bloomberg via Getty Images / Getty Images)

Other companies have faced credential stuffing incidents in recent months. For example, DNA-testing company 23andMe attributed an October breach to the tactic.

RISK OF CYBER INCIDENTS WEIGH HEAVILY ON BUSINESSES FOR 2024, REPORT FINDS

In January, an Allianz Commercial report identified cyber incidents as 2024’s "top business risk." Of the over 3,000 customer businesses, industry trade organizations risk management professionals and others that participated in the survey, over one-third said cyber incidents of various kinds were the risk weighing on them the most.