Some sequels are unwarranted, some are welcomed. Having two data breaches over the span of six months fits in the latter category.
After disclosing a previous data leak last month that compromised over 15,000 accounts, Roku has informed customers that there has been yet another breach, this time affecting over half a million accounts. Roku claims that it currently has 80 million active users currently residing in the purple land of Roku City.
The company issued a blog post to explain the situation and provide important tips for securing accounts.
After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts.
While the overall number of affected accounts represents a small fraction of Roku’s more than 80M active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents.
The company also added that the attackers did not acquire sensitive information such as credit card numbers or addresses. Any affected accounts have been notified and passwords have been automatically reset, while Roku suggests that all users should enable two-factor authentication, even if they were not affected by the breach.
Even though the breach happened on Roku, the company says that a third party was responsible for the breach, which happened through “credential stuffing.” Further: “We sincerely regret that these incidents occurred and any disruption they may have caused,” the company said.