Wait, there was another Roku hack? That’s right, and this one was much bigger than the first, although Roku says the actual damage from this latest “credential-stuffing” attack was minimal.
Roku notified its users on Friday that following a hacking incident in March that involved 15,000 Roku users, the company detected a second wave of attacks that compromised a whopping 576,000 accounts, Bleeping Computer reports.
As with the first attack, the latest incident was a case of credential stuffing–that is, hackers who had obtained stolen usernames and passwords from other services and plugged those combinations into different accounts, hoping that at least some of the users had reused the same passwords.
This news story is part of TechHive’s in-depth coverage of the best media streaming devices.
Roku was careful to note that it was not the source of the data breach in either hacking incident.
While more than half a million Roku accounts were compromised in the most recent hack, Roku says there was “less than 400 cases” in which “malicious actors” used the saved payment information in the hacked accounts to make purchases–namely of streaming subscriptions or Roku hardware.
No “full” credit card numbers or other sensitive personal information was stolen during the attack, according to Roku.
In the wake of the latest hack, Roku says it reset the passwords for all the compromised accounts, while also canceling or refunding any fraudulent purchases.
Even better, the streamer has finally rolled out two-factor authentication and enabled it for all users, a security measure that should make future credential-stuffing attacks much harder to pull off.
Previously, Roku had offered 2FA authentication for its smart home app, but not for streaming Roku accounts.
Again, the lesson with this latest Roku hack is to always use strong passwords and never to reuse passwords.
That said, online services need to pitch in by offering the extra layer of 2FA authentication, and it’s good to see that Roku has now done just that.
