Roku Says More Than 500,000 Accounts Were Compromised in a Cyberattack

On Friday, Roku confirmed a cyberattack compromised roughly 576,000 accounts. It marks the second such cyberattack to affect the company, which compromised a smaller number of accounts earlier this year.

What's going on at Roku?

Roku says it detected an "increase in unusual account activity" earlier this year. After checking into it, the company found that bad actors had compromised about 15,000 Roku accounts.

This wasn't due to a security breach in Roku's systems, however. Instead, these bad actors obtained the usernames and passwords for these accounts through third-parties, likely through sources that leak stolen credentials online. They didn't necessarily know these usernames and passwords were for Roku accounts; rather, they engaged in what's known as "credential stuffing," an automated process where they try to log into popular account types with stolen credentials until they land on a winning combination. As it happens, they landed on an initial 15,000 accounts, before moving on to larger wins.

Roku says it continued to investigate following this incident, and discovered another 576,000 compromised accounts in the process. Roku still thinks the credentials for these accounts were taken from somewhere else, and even suggests they might've been taken from accounts where users had the same username and password. (Don't reuse your passwords, people.) As such, the company likely doesn't have a security issue at this time.

What you should do if your Roku account was affected

As Roku has over 80 million active accounts, the chances yours was among the fraction of a percent of users affected is small. Still, Roku says it has reset passwords for all users affected in this attack. If bad actors made a payment using your account, Roku has refunded you. The company says no financial information was breached in the attack, so you can hold onto your credit cards for now. This also affected a small number of the users (fewer than 400 cases).

The company also enabled two-factor authentication (2FA) for all affected accounts. This is a good thing: 2FA requires access to a trusted device or phone number to finish logging in after entering your password. Even if your credentials leak online, bad actors won't be able to log into your account without access to, say, your smartphone, significantly reducing the chances of a breach. If you don't have 2FA set up yet on your Roku account (or any account that offers it, for that matter), make sure to do so ASAP.

It's lucky the attacks didn't affect more users, but the incident shines a light on how important it is to be on top of your digital security. Simple steps like using strong and unique passwords for all accounts, and setting up 2FA whenever possible, can prevent your accounts from being breached.