Unauthorised actors accessed about 600,000 user accounts using credential stuffing attacks.
Streaming service Roku has reported that unauthorised actors accessed about 600,000 user accounts using credential stuffing attacks.
Using stolen usernames and passwords from one platform, and attempting to log in to accounts on other platforms, two incidents were identified - one impacting around 15,000 user accounts, and another of 576,000.
Roku concluded that there was no data security compromise within its systems, that Roku was not the source of the account credentials used in these attacks, and in fewer than 400 cases, malicious actors logged in and made unauthorised purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts.
However Roku’s monitoring determined that attackers did not gain access to any sensitive information, including full credit card numbers or other full payment information.
Roku said it has more than 80M active accounts, so those impacted “represents a small fraction” of its user base.
“We sincerely regret that these incidents occurred and any disruption they may have caused,” its statement read. “Your account security is a top priority, and we are committed to protecting your Roku account.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
