A second Roku data breach is being widely reported, marking another security blow to the company. The first Roku data breach was relatively small, affecting around 15,000 accounts. But this latest Roku data breach is much larger, with 576,000 accounts being impacted by a credential stuffing attack.
Estimated reading time: 3 minutes
Hackers and attackers use a wide variety of methods to steal data and circumvent security measures, and credential stuffing works well. This Roku data breach has caused the company to turn on two-factor authentication for all users. This is what credential stuffing is:
Roku Data Breach
Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.
Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.
Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.
OWASP
Roku says that there were cases where the attackers used the victims’ Roku accounts to buy streaming subscriptions and Roku hardware by using the stored payment method in the account. But the company says that the full credit card numbers and other information was not accessed.
Roku has reset the passwords of all affected accounts and has begun informing users who were affected. According to Engadget, “the company is also turning on two-factor authentication for its more than 80 million active accounts. The next time you log in, you’ll get a verification email. You’ll need to click a link in the email before you can access your account.”
Roku is also reversing chargers that the hackers made by purchasing subscriptions and hardware. This Roku data breach wasn’t massive, but it goes to show that the age of the data breach is just getting started. I have said it time and again, these are only going to get worse as the amount of data we put out there grows.
What do you think of this Roku data breach? Were you impacted? Has Roku contacted you about the incident? Did you notice two-factor authentication turned on for your Roku account? What do you think Roku should be doing about this incident. What should they do better in the future to protect its users? What can you do better to protect yourself? Are you using strong passwords with two-factor authentication turned on? How much effort do you put into your security? You may comment by using the social media buttons below. Share on your favorite social media site and tag us on Facebook, X, MeWe, and LinkedIn. Or join our Telegram channel here.
In some of our articles and especially in our reviews, you will find Amazon or other affiliate links. As Amazon Associates, we earn from qualifying purchases. Any other purchases you make through these links often result in a small amount being earned for the site and/or our writers. Techaeris often covers brand press releases. Doing this does not constitute an endorsement of any product or service by Techaeris. We provide the press release information for our audience to be informed and make their own decision on a purchase or not. Only our reviews are an endorsement or lack thereof. For more information, you can read our full disclaimer.
