Streaming service provider Roku disclosed on Friday the discovery of a second cyberattack, impacting approximately 576,000 additional accounts during an investigation into a breach that initially affected 15,000 user accounts earlier in the year.
Despite the breach, which raised concerns among its more than 80 million active accounts, Roku assured users that hackers did not obtain access to sensitive information such as complete credit card numbers or other payment details. Nevertheless, the incident led to a decline of about 2% in Roku's shares during early trading.
While Roku reassured users about the safety of their sensitive information, the company admitted to less than 400 instances where the compromised information was utilized to make unauthorized purchases of streaming service subscriptions and hardware products, utilizing the payment methods stored in the affected accounts. In response, Roku pledged to refund or reverse charges for accounts involved in unauthorized transactions resulting from the cyberattack.
Roku attributed the breach to "credential stuffing," a tactic wherein hackers exploit reused login credentials across multiple platforms. In light of these events, the company has implemented two-factor authentication for all accounts to bolster security measures and prevent future unauthorized access.