The streaming service Roku has said it discovered 576,000 user accounts were impacted by a cyberattack while investigating an earlier data breach.
Roku said it uncovered the second incident while monitoring account activity following the first breach earlier this year, when unauthorized actors accessed the accounts of about 15,000 users.
In both cases, threat actors are believed to have used a method known as “credential stuffing” to steal login information, i.e. usernames and passwords.
Credential stuffing is a type of automated cyberattack where fraudsters use stolen usernames and passwords from one platform and attempt to log in to accounts on other platforms.
“There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident,” Roku said in a statement.
“Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials,” it said.
According to Roku, which has 80 million active users, the security of its systems were not compromised, but some accounts were used to make fraudulent purchases.
“In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts,” Roku said.
It added that threat actors did not gain access to any sensitive information, including full credit card numbers or other full payment information.
Roku said it had enabled two-factor authentication for all accounts and reset the passwords of those affected by the cyberattacks. The provider also said it was notifying impacted customers about the incident and would refund or reverse damages.
One study showed that 81% of users reuse the same or similar passwords for multiple accounts, which makes it an "easy time" for malicious actors with access to a list of leaked credentials to find valid login combinations, according to Antoine Vastel, vice president of research at online fraud and bot management company DataDome.
"When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims. These often go undetected for a long time because logging in isn’t a suspicious action. It’s within the business logic of any website with a login page. Once a hacker is inside a user’s account, they have access to linked bank accounts, credit cards, and personal data that they can use for identity theft," Vastel said.
Your email address will not be published. Required fields are markedmarked