Roku is now creating two-factor authentication (2FA) mandatory for its users after two separate incidents where customer accounts were compromised.
Approximately 591,000 customers were affected earlier this year: The first case, limited to 15,363 accounts, prompted Roku to monitor customer account activity more closely, which led to the discovery of another incident that it affected approximately 576,000 accounts.
Approximately 400 customers reportedly used their accounts to purchase streaming subscriptions and Roku hardware using financial credentials stored in their accounts. According to Roku, these customers were reimbursed for these charges and the threat actors were unable to collect sensitive financial information such as full credit card numbers. Social Security numbers, dates of birth and other information were also not accessible, according to the data breach warning letter sent.
Roku said in its blog post that it believes the attack occurred through the use of credential stuffing and said it had reset passwords for the affected accounts, as well as enforcing 2FA for all its users.
According to Roku blog post“The next time you attempt to access your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access your account.”