On Friday, Roku confirmed that a cyberattack compromised approximately 576,000 accounts. This is the second such cyberattack to affect the company, which had a smaller number of accounts earlier this year.
What happened to Roku?
Roku said it saw an "increase in unusual account activity" earlier this year. After investigating, the company discovered that bad actors had compromised approximately 15,000 Roku accounts.
However, this is not due to a security flaw in the Roku system. Instead, these bad actors obtained the usernames and passwords for these accounts through a third party, possibly from the source of the stolen credentials that was leaked online. They didn't necessarily know that those usernames and passwords were for Roku accounts; instead, they engaged in what's called "credential stuffing," an automated process in which they tried to log into popular account types using stolen credentials until they found a winning combination. As it happens, they initially gained 15,000 accounts before achieving even bigger wins.
Roku said it continued to investigate after the incident and discovered an additional 576,000 compromised accounts in the process. Roku still believes the credentials for these accounts were obtained elsewhere, even suggesting they may have been obtained from an account where the user had the same username and password. (Friends, don’t reuse your passwords.) So the company probably doesn’t currently have a security issue.
What to do if your Roku account is affected
Since Roku has over 80 million active accounts, the chances are slim that you're among a small percentage of affected users. Nonetheless, Roku said it has reset passwords for all users affected by the attack. If a bad actor used your account to pay, Roku has refunded you. The company says the attack did not compromise any financial information, so you can keep your credit card for now. This also affects a small number of users (less than 400 cases).
The company has also enabled two-factor authentication (2FA) for all affected accounts. That's a good thing: 2FA requires access to a trusted device or phone number to complete the login after entering a password. Even if your credentials are leaked online, bad actors can't log into your account without access to your smartphone, greatly reducing the likelihood of a breach. If you haven't set up 2FA on your Roku account (or any account that offers this feature), be sure to do so as soon as possible.
Fortunately, these attacks did not affect more users, but the incident highlights the importance of staying on top of digital security. Simple steps like using strong and unique passwords for all accounts and setting up 2FA when possible can prevent your accounts from being compromised.