Roku Mandates 2FA for Customers After Credential-Stuffing Compromise

Roku is now making two-factor authentication (2FA) mandatory for its users after two separate incidents in which customer accounts were compromised.

Roughly 591,000 customers were affected earlier this year — the first instance, limited to 15,363 accounts, prompted Roku to keep a closer watch on customer account activity, which led to discovery of another incident affecting around 576,000 accounts. 

For around 400 customers, their accounts were reportedly used to purchase streaming subscriptions and Roku hardware using financial credentials stored in their accounts. These customers have been reimbursed for these charges, according to Roku, and the threat actors were not able to glean any sensitive financial information such as full credit card numbers. Social Security numbers, dates of birth, and other information also were not accessed, according to the data breach notice letter sent out. 

Roku stated in its blog post that it believes the attack occurred through the use of credential stuffing and said it has reset the passwords for affected accounts, in addition to mandating 2FA for all its users. 

According to Roku's blog post, "The next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account."