Roku on Friday disclosed that 576,000 accounts were accessed by malicious actors.
The San José, California, technology company said that it discovered the problem after monitoring unusual account activity on its platform earlier this year that affected roughly 15,000 user accounts.
Through its investigation, Roku said that the malicious actors stole the login credentials through a different source and applied a practice called “credential stuffing,” applying stolen usernames and passwords across multiple platforms to take advantage of people who use the same credentials across multiple services.
In fewer than 400 of the cases, Roku said the malicious actors made unauthorized purchases of streaming subscriptions and Roku hardware products, but did not gain access to full credit card information.
“We concluded at the time that no data security compromise occurred within our systems, and that Roku was not the source of the account credentials used in these attacks,” Roku said in a statement.
The company said it is enabling two-factor authentification for all of its 80 million account holders. Roku reset passwords for the affected accounts and reversed or refunded the unauthorized charges made by the malicious actors, the firm said.
“We also want to reassure customers that these malicious actors were not able to access sensitive user information or full credit card information,” Roku said.
___
© 2024 Los Angeles Times
Distributed by Tribune Content Agency, LLC.