Roku Says 576,000 Streaming Accounts Compromised in Security Breach

Publish date: 2024-08-22

Company resets passwords of affected users, implements two-factor authentication for all accounts following two hacking incidents

Following a hack that exposed more than 15,000 Roku accounts last month, the company said Friday it discovered a second security incident that affected 576,000 additional user accounts.

Roku said it reset the passwords for all affected accounts and are notifying those customers directly about the latest incident. According to the company, in fewer than 400 cases, “malicious actors” made unauthorized purchases of streaming service subscriptions and/or Roku hardware products using the payment method stored in these accounts. Roku said it refunding or reversing charges for accounts that were compromised and used to make illicit purchases.

Related Stories

The YouTube logo wrapped inbetween the Netflix logo VIP+

How YouTube and Netflix Copied Each Other’s Homework

LOS ANGELES, CALIFORNIA - SEPTEMBER 15: (L-R) Dionne Harmon, Jesse Collins and Jeannae Rouzan-Clay attend the 76th Primetime Emmy Awards at Peacock Theater on September 15, 2024 in Los Angeles, California. (Photo by Frazer Harrison/Getty Images)

Emmys Producers Explain Why Jeremy Allen White Was Bleeped, Playing Off John Oliver During His Dog Tribute, That Awkward Johnnie Walker Ad and More

In addition, Roku said, it has enabled two-factor authentication (2FA) for all Roku accounts, even for those that were not been affected by the recent incidents. As a result, the next time users attempt to log in to their Roku account online, a verification link will be sent to the email address associated with the account; Roku users will then need to click the link in the email before they can access the account.

Popular on Variety

Roku said the hackers did not gain access to any sensitive personal information, including full credit card numbers or other payment information.

Roku said it found no evidence that it was the source of the account credentials used in either of the attacks or that Roku’s systems were compromised in either incident. According to the company, it’s likely that login credentials used in the hacks were stolen from another source (i.e. other online accounts) for which the affected users may have used the same username and password — a cyberattack known as “credential stuffing.”

“While the overall number of affected accounts represents a small fraction of Roku’s more than 80 million active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents,” the company said.

Roku encouraged users to create a “strong, unique password” for their account (using a mix of at least eight characters, including numbers, symbols and lowercase and uppercase letters). It also advised customers to “remain vigilant,” being alert to any “suspicious communications appearing to come from Roku, such as requests to update your payment details, share your username or password, or click on suspicious links.” The company also directed users to an article on its customer-support site, “How to keep your Roku account secure.

“[W]e sincerely regret that these incidents occurred and any disruption they may have caused,” the company said. “Your account security is a top priority, and we are committed to protecting your Roku account.”

VIP+ Analysis: Did Sony Hack Teach Us Nothing on Cyberattacks?

Read More About:

Jump to Comments

More from Variety

Most Popular

Must Read

Sign Up for Variety Newsletters

By providing your information, you agree to our Terms of Use and our Privacy Policy.We use vendors that may also process your information to help provide our services. // This site is protected by reCAPTCHA Enterprise and the Google Privacy Policy and Terms of Service apply.

Variety Confidential

A Variety and iHeartRadio Podcast

ncG1vNJzZmiukae2psDYZ5qopV9nfXOAjp2goKGklrlwusSwqmiqn6DCbrTAnKJmq5WYwrO107Jkm6qVlrCpeZRwbWloYGLAtb7EmqSippdirqSvzq6lratdZn90gZhvb3JsaWQ%3D