Roku shared news of another security breach with its users on Friday after an incident in March that impacted thousands of users.
Early this year, Roku’s security monitoring systems detected an “increase in unusual activity.”
Credential stuffing is when hackers collect users’ emails and passwords and use them to log in to other websites.
“We concluded at the time that no data security compromise occurred within our systems, and that Roku was not the source of the account credentials used in these attacks,” Roku shared.
After the investigation finished, Roku notified customers in March and said it continued to monitor accounts in an effort to protect customers.
While monitoring, Roku said it learned of an additional incident that impacted approximately 576,000 more accounts.
There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials.
Roku said in less than 400 cases, hackers logged into customer accounts and purchased streaming service subscriptions and hardware products using the payment method stored in these accounts.
However, Roku said the hackers did not gain access to sensitive information like full credit card numbers or other payment information.
The company has reset the passwords for all affected accounts and is notifying customers directly impacted by the breach.
Roku is also refunding or reversing charges for accounts that hackers used to purchase items.
Roku also chose to enable two-factor authentication for all accounts, including those not impacted. This means the next time you log in, a verification link will be sent to the email address associated with the account, which you will have to click to gain access.