Streaming giant Roku has disclosed that it experienced a second data security breach in as many months.
This time, about 576,000 user accounts were compromised by a second credential stuffing attack. In credential stuffing, threat actors test username/password combinations from other incidents, knowing that some consumers re-use the same login across sites and that some percentage of their attempts will work on the new target. As Roku explained, both the earlier incident and the current one were due to credential stuffing attacks and not any compromise of Roku’s system.
In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.
More information is available on Roku’s website.