Roku Mandates 2FA for Customers After Credential-Stuffing Compromise

Roku assures customers that no financial information was stolen and that any purchases made through user accounts have been reimbursed.

Dark Reading Staff, Dark Reading

April 15, 2024

1 Min Read
A person holding a Roku remote control up to a blurred TV in the background
Source: Marvin Tolentino via Alamy Stock Photo

Roku is now making two-factor authentication (2FA) mandatory for its users after two separate incidents in which customer accounts were compromised.

Roughly 591,000 customers were affected earlier this year — the first instance, limited to 15,363 accounts, prompted Roku to keep a closer watch on customer account activity, which led to discovery of another incident affecting around 576,000 accounts. 

For around 400 customers, their accounts were reportedly used to purchase streaming subscriptions and Roku hardware using financial credentials stored in their accounts. These customers have been reimbursed for these charges, according to Roku, and the threat actors were not able to glean any sensitive financial information such as full credit card numbers. Social Security numbers, dates of birth, and other information also were not accessed, according to the data breach notice letter sent out. 

Roku stated in its blog post that it believes the attack occurred through the use of credential stuffing and said it has reset the passwords for affected accounts, in addition to mandating 2FA for all its users. 

According to Roku's blog post, "The next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights