Roku: Credential Stuffing Attacks Affect 591,000 Accounts – Source: securityboulevard.com

Almost 600,000 Roku customers had their accounts hacked through two credential stuffing attacks several weeks apart, illustrating the ongoing risks to people who reuse passwords for multiple online accounts.

The streaming service in March reported that more than 15,000 accounts were compromised in a credential stuffing attack, in which bad actors leverage usernames and passwords stolen from one organization to access accounts in another, exploiting individuals who use the same credential for multiple online accounts.

An investigation into the attack found that no data was compromised and that the credentials used in the incident came from another source, Roku officials wrote in a blog post.

“After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information,” they wrote. “Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts.”

As with the first incident, Roku wasn’t the source of the usernames and passwords, the officials wrote. The hackers were able to log into fewer than 400 accounts and make unauthorized purchases of streaming service subscriptions and Roku hardware products, but didn’t gain access to sensitive information, including full credit card numbers or other full payment data.

Here Comes 2FA

In response, Roku – which last year surpassed 80 million active accounts – is implementing a range of controls to ward off such attacks, including enabling two-factor authentication (2FA) on all accounts, including those that weren’t affected by the two incidents.

“As a result, the next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account,” they wrote.

In addition, Roku reset the passwords of the impacted accounts and directly notified those customers about the attacks and is refunding or reversing charges for those accounts through which the hackers bought services or products that leveraged stored payment methods.

Company officials also are outlining ways users can protect themselves, with creating strong and unique passwords to make it more difficult for threat actors to access their accounts. That includes using a mix of letters – upper and lowercase – numbers, and symbols. They also urged users to stay alert to unusual behaviors on their accounts and to keep updated on Roku’s announcements and blog posts.

Passwords are a Challenge

Credential stuffing attacks continue to be a problem and a key driver fueling the push by such high-profile vendors as Microsoft, Google, and Apple, as well as industry groups like the FIDO Alliance, for login methods that don’t need usernames and passwords, such as passkeys. Until that time, they are pushing for expanded use of multifactor authentication (MFA) to add another protection layer.

Auth0, which is owned by identity and access management vendor Okta, offers a platform used to verify the identities of users before giving them access to websites and applications. In a blog post last year, Auth0 noted that credential stuffing attacks are so common because 64% of people reuse the same password for multiple accounts and that on the Auth0 platform, nearly half of all login requests received every day are attempts at credential stuffing. The problem promises to grow, with billions of stolen credentials available on the dark web, the organization wrote.

Verizon’s 2024 Data Breach Investigations Report found that more than 80% hacking-related breaches involve lost or stolen credentials. VPN vendor NordPass estimates that the average person has about 100 passwords, making it a significant challenge for them to remember 100 or more unique passwords, leading some to use password management products.

The Damage Done

Antoine Vastel, vice president of research at online fraud and bot management company DataDome, commented about the threat of credential stuffing after Roku disclosed the first attack, saying that with 81% of individuals either reusing passwords or using similar ones, bad actors with access to lists of leaked credentials can easily find valid login and password combinations.

That can lead to significant economic and reputational damage for the targeted businesses, Vastel said.

“When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims,” he said. “These often go undetected for a long time because logging in isn’t a suspicious action. It’s within the business logic of any website with a login page.”

Once inside a user’s account, the hacker has access to information like the person’s linked bank accounts and credit cards, as well as personal data they can use for identity theft.”