Roku makes 2FA mandatory for all after nearly 600K accounts pwned

Roku makes 2FA mandatory for all after nearly 600K accounts pwned

April 15, 2024 at 11:40AM

Roku is requiring 2FA for all accounts after attackers accessed around 591,000 customer accounts through credential stuffing attacks. Users affected by the compromise have been reimbursed, and no sensitive information was accessed. Roku emphasized the need for unique passwords and vigilant monitoring of suspicious activity. All users are encouraged to implement strong passwords.

After carefully reviewing the meeting notes, the key takeaways are as follows:

1. Roku experienced two separate incidents involving unauthorized access to customer accounts, affecting a total of around 591,000 accounts. The first incident impacted 15,363 accounts, prompting the company to enhance account monitoring in March. This monitoring led to the discovery of a second incident affecting approximately 576,000 accounts.

2. Attackers used a small number of compromised accounts to make unauthorized purchases of streaming subscriptions and Roku hardware using stored payment details. However, all affected account holders have been fully reimbursed, and no sensitive information, such as full credit card numbers or social security numbers, was accessed.

3. Roku’s systems appear to be secure from compromise, as it believes the attacks were carried out through credential stuffing using stolen credentials from other sources.

4. As a response to the incidents, Roku has made two-factor authentication (2FA) mandatory for all accounts, regardless of whether they were directly affected. Additionally, all users have been encouraged to create strong, unique passwords to enhance security.

Overall, Roku has taken significant steps to address the breaches and reassure customers of their commitment to account security. These measures are in line with industry best practices and recommendations for improving password security and preventing unauthorized access.

If you need further details or additional clarifications, please feel free to ask.

Full Article