Roku forcing 2-factor authentication after 2 breaches of 600K accounts
Everyone with a Roku TV or streaming device will eventually be forced to enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing.
Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access.
In the case of the Roku attacks, that meant access to stored payment methods, which could then be used to buy streaming subscriptions and Roku hardware. Roku wrote on its blog, and in a mandated data breach report, that purchases occurred in "less than 400 cases" and that full credit card numbers and other "sensitive information" was not revealed.
The first incident, "earlier this year," involved roughly 15,000 user accounts, Roku stated. By monitoring these accounts, Roku identified a second incident, one that touched 576,000 accounts. These were collectively "a small fraction of Roku's more than 80M active accounts," the post states, but the streaming giant will work to prevent future such stuffing attacks.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/2ZJFJEPJQRKPPGAEOEZP4XYNZY.jpg)
