Roku says second security incident impacted 576,000 additional accounts

Roku published an update regarding recent security incidents, stating in part in a blog post: “Earlier this year, Roku‘s security monitoring systems detected an increase in unusual account activity. After a thorough investigation, we determined that unauthorized actors had accessed about 15,000 Roku user accounts using login credentials (i.e. usernames and passwords) stolen from another source unrelated to Roku through a method known as ‘credential stuffing.’… After concluding our investigation of this first incident, we notified affected customers in early March and continued to closely monitor account activity to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts. There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials. In less than 400 cases, malicious actors logged in made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information… In closing, we sincerely regret that these incidents occurred and any disruption they may have caused. Your account security is a top priority, and we are committed to protecting your Roku account.”