Cyber Incident Victim: Roku

In early 2024, Roku's security monitoring systems detected unusual account activity, prompting an investigation that revealed unauthorized actors had accessed approximately 15,000 user accounts through credential stuffing attacks. Credential stuffing involves using login credentials stolen from unrelated third-party platforms to gain unauthorized access to accounts where users reused the same credentials. Roku confirmed its systems were not compromised and that the company was not the source of the stolen credentials. Following this first incident, affected customers were notified in early March 2024. Subsequent monitoring identified a second credential stuffing incident impacting approximately 576,000 additional accounts, bringing the total affected accounts to 591,000 out of Roku's more than 80 million active accounts. In fewer than 400 cases across both incidents, attackers used stored payment methods to purchase streaming subscriptions and hardware, though they did not access sensitive information such as full credit card numbers or complete payment details.

Roku responded by resetting passwords for all affected accounts and directly notifying impacted customers. The company refunded or reversed unauthorized charges for accounts where fraudulent purchases occurred. As a security enhancement, Roku implemented mandatory two-factor authentication (2FA) for all accounts, requiring users to click a verification link sent to their email address during login attempts. The company maintained that its systems remained uncompromised throughout both incidents and reiterated that attackers sourced credentials exclusively from external platforms. Continuous security monitoring was conducted following the initial incident, enabling detection of the second event. No evidence suggested attackers accessed sensitive user information beyond the limited fraudulent transactions.