Roku said a newly discovered data breach compromised the accounts of roughly 576,000 users.
The company discovered the intrusion while monitoring account activity following a smaller January incident that affected about 15,000 accounts.
Roku added it wasn’t the source of the credentials in either breach, and that its systems weren’t affected. Instead, the streaming media firm suspected the logins had been stolen from a third party, the hallmark of a “credential stuffing” attack. Users might have shared the sign-in details at those sites.
There has been some damage, however. Roku noted “less than 400” cases where intruders signed in and bought both devices and subscriptions. They didn’t access sensitive information like payment details.
Roku reset the passwords for affected accounts and has enabled two-factor authentication for all users. You’ll have to click an email verification link the next time you sign in, the company said.
The firm added it would refund or reverse charges for accounts hijacked to make purchases. It didn’t provide the value of the purchases made.
The breach comes at a difficult time for Roku. While its profit was up slightly year-over-year in 2023, the service warned in February that a tough economic environment and an “uneven” advertising market would limit its growth for the rest of 2024.
The breach compromised just a fraction of the roughly 80 million Roku accounts active as of last year. However, this and the previous incident might shake the confidence of those users concerned about the safety of their data.
It won’t necessarily lead to many users switching platforms. Roku had a 55% share of North America’s connected TV device market in the fourth quarter of 2023, according to analytics firm Pixalate. It also had a lead in Latin America. Roku is still very popular, and the costs of replacing hardware (plus exclusive services like the free Roku Channel) may prove too costly.